Windows password protected ZIP file opened with suspicious filenames
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects password-protected ZIP files containing suspicious filenames that are commonly used in phishing attacks.
Strategy
This rule monitors Windows event ID 5379 for shell extension handler operations involving ZIP folders with common social engineering keywords. It identifies when @Event.EventData.Data.TargetName contains Microsoft_Windows_Shell_ZipFolder along with suspicious terms.
Password-protected archives prevent security scanning while business-themed filenames create urgency for users to open the contents. These techniques combined are frequently used in malware distribution campaigns to bypass detection controls.
Triage & Response
- Examine the source of the ZIP file on
{{host}} and how it was delivered. - Review extracted file contents in a secure environment for malicious indicators.
- Monitor for unusual process executions or network activity following extraction.
- Search for similar password-protected archives across your environment.
- Remove malicious files and block distribution sources.
- Isolate
{{host}} if compromise indicators are detected.
