
Summary
This detection rule targets a type of phishing attack known as the RipZip attack, which exploits the Windows Explorer functionality. Specifically, it detects scenarios where a ZIP file containing a malicious shortcut is expanded via the explorer process. When the ZIP file is extracted, the malicious shortcut is dropped into the Windows Startup folder. The unique identifier within the filename of the shortcut, specifically '{0AFACED1-E828-11D1-9187-B532F1E9575D}', signifies that it relates to a folder shortcut operation. This rule is essential for monitoring unauthorized persistence mechanisms that may allow a backdoor entry into systems, especially by malicious actors using social engineering tactics to trick users into expanding these ZIP files.
Categories
- Endpoint
- Windows
Data Sources
- File
- Process
Created: 2022-07-21