Skip to content

Hide Navigation Hide TOC

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet (85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98)

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Cluster A Galaxy A Cluster B Galaxy B Level
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet (85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98) Sigma-Rules Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 1
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2