title: Zip A Folder With PowerShell For Staging In Temp
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
    temporary folder for later exfiltration
detection:
    SELECTION_1:
        ScriptBlockText: '*Compress-Archive *'
    SELECTION_2:
        ScriptBlockText: '* -Path *'
    SELECTION_3:
        ScriptBlockText: '* -DestinationPath *'
    SELECTION_4:
        ScriptBlockText: '*$env:TEMP\\*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
level: medium
logsource:
    category: ps_script
    definition: Script Block Logging must be enable
    product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
status: experimental
tags:
- attack.collection
- attack.t1074.001
yml_filename: powershell_susp_zip_compress_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script