Suspicious ZipExec Execution

Hunt Hypothesis

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Detection Rule

Sigma (Original)

title: Suspicious ZipExec Execution
id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
status: test
description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
references:
    - https://twitter.com/SBousseaden/status/1451237393017839616
    - https://github.com/Tylous/ZipExec
author: frack113
date: 2021-11-07
modified: 2022-12-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    run:
        CommandLine|contains|all:
            - '/generic:Microsoft_Windows_Shell_ZipFolder:filename='
            - '.zip'
            - '/pass:'
            - '/user:'
    delete:
        CommandLine|contains|all:
            - '/delete'
            - 'Microsoft_Windows_Shell_ZipFolder:filename='
            - '.zip'
    condition: run or delete
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and TargetProcessCommandLine contains ".zip" and TargetProcessCommandLine contains "/pass:" and TargetProcessCommandLine contains "/user:") or (TargetProcessCommandLine contains "/delete" and TargetProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and TargetProcessCommandLine contains ".zip")

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Execution
• Technique: T1218 — T1218
• Technique: T1202 — T1202

References

• https://twitter.com/SBousseaden/status/1451237393017839616
• https://github.com/Tylous/ZipExec
• SigmaHQ Rule