[metadata]
creation_date = "2023/12/15"

[rule]
author = ["Terguttac"]
description = "Alerts when a .zip file is created in a file path containing Windows\\Temp."
from = "now-6m" # This is the default value. Change as needed.
name = "Potential Zipped Exfiltration"
risk_score = 65
severity = "medium"
rule_id = "00000000-0000-0000-000000000008"
type = "query"

query = '''
event.dataset : "endpoint.events.file" and event.action : (creation or overwrite) and process.name : "powershell.exe" and file.path : *Windows\\\\Temp\\\\* and file.name : *.zip
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1074"
name = "Data Staged"
reference = "https://attack.mitre.org/techniques/T1074/"
[[rule.threat.technique.subtechnique]]
id = "T1074.001"
name = "Local Data Staging"
reference = "https://attack.mitre.org/techniques/T1074/001/"

[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"