ルール更新 (#224)

rules/sigma/powershell/powershell_script/powershell_data_compressed.yml

@@ -0,0 +1,31 @@
+
+title: Data Compressed - PowerShell
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: An adversary may compress data (e.g., sensitive documents) that is collected
+  prior to exfiltration in order to make it portable and minimize the amount of data
+  sent over the network.
+detection:
+  SELECTION_1:
+    ScriptBlockText: '*-Recurse*'
+  SELECTION_2:
+    ScriptBlockText: '*|*'
+  SELECTION_3:
+    ScriptBlockText: '*Compress-Archive*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Highly likely if archive operations are done via PowerShell.
+id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
+level: low
+logsource:
+  category: ps_script
+  definition: Script block logging must be enabled
+  product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1560
+- attack.t1002