
Summary
The 'Windows Archive Collected Data via Powershell' analytic rule is designed to detect potential data exfiltration activities using PowerShell scripts that compress files into temporary directories. By monitoring the `Compress-Archive` command through PowerShell Script Block Logging (EventCode 4104), the rule identifies instances where scripts target the Temp directory, a common target for malicious actors seeking to consolidate and extract sensitive data. The detection's significance lies in its ability to highlight unauthorized data archiving efforts, which can compromise sensitive information and threaten overall network security. The implementation involves enabling PowerShell Script Block Logging across various endpoints, ensuring comprehensive coverage of potentially malicious PowerShell activity. Known false positives arise from legitimate usages of the `Compress-Archive` command. Overall, this detection rule enhances security posture by flagging behaviors that could indicate an adversary's collection and potential exfiltration of data.
Categories
- Endpoint
Data Sources
- Pod
- Container
- User Account
- Process
ATT&CK Techniques
- T1560
Created: 2024-11-13