title: Data Compressed - PowerShell
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: An adversary may compress data (e.g., sensitive documents) that is collected
  prior to exfiltration in order to make it portable and minimize the amount of data
  sent over the network.
detection:
  SELECTION_1:
    ScriptBlockText: '*-Recurse*'
  SELECTION_2:
    ScriptBlockText: '*|*'
  SELECTION_3:
    ScriptBlockText: '*Compress-Archive*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Highly likely if archive operations are done via PowerShell.
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
level: low
logsource:
  category: ps_script
  definition: Script block logging must be enabled
  product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
status: experimental
tags:
- attack.exfiltration
- attack.t1560
- attack.t1002