heroui logo

PowerShell Decompress Commands

Sigma Rules

View Source
Summary
This detection rule is designed to identify instances of specific decompress commands being executed in PowerShell logs, particularly focusing on the `Expand-Archive` command. These commands could indicate malicious activity where an adversary is decompressing files that may contain further malicious payloads or executables. The rule specifically looks for logs generated by the PowerShell module on Windows systems and identifies the presence of this command. Given that file decompression can often be a legitimate administrative task as well, the detection level has been set to 'informational' to highlight possible deceptive uses of such commands without suggesting a high certainty of compromise. The implementation of this rule is a part of broader network defense strategies aimed at improving detection of potential adversarial activity in compromised environments, aligning with tactics specified in the MITRE ATT&CK framework under techniques associated with defense evasion. The rule remains in testing status and is tied to ongoing research efforts within the threat hunting community.
Categories
  • Windows
  • Endpoint
  • Application
Data Sources
  • Process
  • Logon Session
Created: 2020-05-02