← Back to SOC feed Coverage →

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

sigma MEDIUM SigmaHQ
T1074.001
imProcessCreate
backdoorpowershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-13T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects PowerShell scripts that make use of the “Compress-Archive” Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by m

Detection Rule

Sigma (Original)

title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
related:
    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
      type: similar
    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
      type: similar
    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
      type: similar
status: test
description: |
    Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1074.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
            - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
            - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "Compress-Archive -Path" and TargetProcessCommandLine contains "-DestinationPath $env:TEMP") or (TargetProcessCommandLine contains "Compress-Archive -Path" and TargetProcessCommandLine contains "-DestinationPath" and TargetProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (TargetProcessCommandLine contains "Compress-Archive -Path" and TargetProcessCommandLine contains "-DestinationPath" and TargetProcessCommandLine contains ":\\Windows\\Temp\\")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml