Detect Oulook Exe Writing A Zip File

Description

This search looks for execution of process outlook.exe where the process is writing a .zip file to the disk.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Initial Access

MITRE ATT&CK Techniques

Phishing

Spearphishing Attachment

MITRE Threat Groups

APT-C-36
APT1
APT12
APT19
APT28
APT29
APT30
APT32
APT33
APT37
APT39
APT41
BRONZE BUTLER
BlackTech
Cobalt Group
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN6
FIN7
FIN8
Frankenstein
Gallmaker
Gamaredon Group
Gorgon Group
Inception
Kimsuky
Lazarus Group
Leviathan
Machete
Magic Hound
Mofang
Molerats
MuddyWater
Naikon
OilRig
PLATINUM
Patchwork
RTM
Rancor
Sandworm Team
Sharpshooter
Silence
TA459
TA505
The White Company
Tropic Trooper
Turla
Windshift
Wizard Spider
admin@338
menuPass

Data Sources

Endpoint Detection and Response

   Help

Detect Oulook Exe Writing A Zip File Help

You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon.

   Search

Open in Search