Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1036-masquerading

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects password-protected ZIP files containing suspicious filenames that are commonly used in phishing attacks.

Strategy

This rule monitors Windows event ID 5379 for shell extension handler operations involving ZIP folders with common social engineering keywords. It identifies when @Event.EventData.Data.TargetName contains Microsoft_Windows_Shell_ZipFolder along with suspicious terms.

Password-protected archives prevent security scanning while business-themed filenames create urgency for users to open the contents. These techniques combined are frequently used in malware distribution campaigns to bypass detection controls.

Triage & Response

• Examine the source of the ZIP file on {{host}} and how it was delivered.
• Review extracted file contents in a secure environment for malicious indicators.
• Monitor for unusual process executions or network activity following extraction.
• Search for similar password-protected archives across your environment.
• Remove malicious files and block distribution sources.
• Isolate {{host}} if compromise indicators are detected.