
Summary
This detection rule aims to identify legitimate applications on Windows systems that perform unauthorized writing of archive files to disk. The analysis focuses on certain executable files commonly found in the Windows environment, including Microsoft Office applications and utilities like notepad and AcroRd32.exe. The rule is triggered if any of these applications attempt to create files with specific archive extensions such as .zip, .rar, .7z, .diagcab, and .appx. Since legitimate applications should not typically generate such files, their behavior in this context may indicate potential misuse or exploitation. This detection falls under high severity, highlighting potential defense evasion techniques employed by attackers, where they might use trusted applications to drop malicious payloads or encrypted archives to evade detection mechanisms. The rule is still in test status, but it leverages file event logs from Windows systems to monitor file creation activities performed by these applications. False positives may arise, although they are currently categorized as 'unknown.'
Categories
- Windows
- Endpoint
Data Sources
- File
Created: 2022-08-21