T1027.015 Compression Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1027.015 - Compression
// Detect suspicious archive extraction patterns, SFX execution, and nested archive delivery
let SuspiciousExtraction = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where (
    // 7zip / WinRAR extracting to suspicious staging paths
    (FileName in~ ("7z.exe", "7za.exe", "7zr.exe", "winrar.exe", "unrar.exe") 
     and ProcessCommandLine has_any ("x ", "e ", "t ")
     and ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Users\\Public\\")
    )
    // PowerShell GZip/Deflate decompress pattern
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("GZipStream", "DeflateStream", "IO.Compression", "System.IO.Compression"))
    // Expand-Archive extracting to temp/staging location
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Expand-Archive", "Extract()", "ExtractToDirectory") 
        and ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\ProgramData\\"))
)
| extend DetectionType = case(
    FileName in~ ("7z.exe", "7za.exe", "7zr.exe", "winrar.exe", "unrar.exe"), "archive_tool_extraction_staging",
    ProcessCommandLine has_any ("GZipStream", "DeflateStream"), "powershell_memory_decompress",
    "powershell_extract_archive_staging"
);
let SelfExtractingArchive = DeviceProcessEvents
| where ActionType == "ProcessCreated"
// SFX archives: executable file that extracts and runs content without external tools
| where FileName endswith ".exe"
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\Desktop\\", "\\AppData\\", "\\Users\\Public\\")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "winword.exe", "excel.exe", "chrome.exe", "msedge.exe", "firefox.exe")
// SFX processes often spawn cmd.exe or powershell.exe immediately after extraction
| join kind=inner (
    DeviceProcessEvents
    | where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
    | where InitiatingProcessFolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\")
) on DeviceId
| extend DetectionType = "self_extracting_archive_exec";
let NestedArchiveDelivery = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\")
// High-risk parent process: email client or browser downloading the archive
| where InitiatingProcessFileName in~ ("outlook.exe", "thunderbird.exe", "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe")
| extend DetectionType = "archive_via_email_or_browser";
SuspiciousExtraction
| union SelfExtractingArchive
| union NestedArchiveDelivery
| project-reorder Timestamp, DeviceName, DetectionType, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName

severity confidence

Splunk

spl

index=windows (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval EventCode=coalesce(EventCode, event_id)
| search EventCode IN (1, 11)
| eval detection_type=case(
    EventCode=1 AND match(lower(Image), "(7z|7za|7zr|winrar|unrar)\.exe") AND match(lower(CommandLine), "(x |e |t )") AND match(lower(CommandLine), "(\\\\temp|appdata|programdata|public)"), "archive_extraction_to_staging",
    EventCode=1 AND match(lower(Image), "powershell\.exe") AND match(CommandLine, "(?i)(GZipStream|DeflateStream|IO\.Compression|Expand-Archive)") AND match(lower(CommandLine), "(temp|appdata|programdata)"), "powershell_decompress",
    EventCode=1 AND match(lower(Image), "powershell\.exe") AND match(CommandLine, "(?i)(ExtractToDirectory|Expand-Archive)"), "powershell_extract_archive",
    EventCode=11 AND match(lower(TargetFilename), "\.(zip|rar|7z|gz|tar)$") AND match(lower(TargetFilename), "(downloads|temp|appdata)") AND match(lower(Image), "(outlook|thunderbird|chrome|msedge|firefox)\.exe"), "archive_delivered_via_email_browser",
    EventCode=11 AND match(lower(TargetFilename), "\.zip$") AND match(lower(Image), "(7z|winrar|unrar)\.exe"), "nested_archive_extracted",
    true(), null()
)
| search detection_type=*
| eval risk_score=case(
    detection_type="powershell_decompress", 80,
    detection_type="archive_extraction_to_staging", 60,
    detection_type="archive_delivered_via_email_browser", 55,
    detection_type="nested_archive_extracted", 65,
    detection_type="powershell_extract_archive", 65,
    true(), 50
)
| table _time, Computer, detection_type, risk_score, Image, CommandLine, TargetFilename, ParentImage
| sort -risk_score

severity confidence

Elastic Security (EQL)

eql

sequence by host.id with maxspan=2m
  [process where event.type == "start" and (
    (process.name in~ ("7z.exe", "7za.exe", "7zr.exe", "winrar.exe", "unrar.exe") and
     process.args : ("x", "e", "t") and
     process.args : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*"))
    or
    (process.name : "powershell.exe" and
     process.command_line : ("*GZipStream*", "*DeflateStream*", "*IO.Compression*", "*Expand-Archive*", "*ExtractToDirectory*"))
  )]
  [process where event.type == "start" and
   process.parent.name in~ ("7z.exe", "7za.exe", "winrar.exe", "powershell.exe") and
   process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")]

sequence by host.id with maxspan=30s
  [file where event.type == "creation" and
   file.extension in~ ("zip", "rar", "7z", "gz", "tar") and
   file.path : ("*\\Downloads\\*", "*\\Temp\\*", "*\\AppData\\*") and
   process.name in~ ("outlook.exe", "thunderbird.exe", "chrome.exe", "msedge.exe", "firefox.exe")]
  [process where event.type == "start" and
   process.name in~ ("7z.exe", "7za.exe", "winrar.exe", "unrar.exe")]

medium severity medium confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate software installers and update mechanisms that decompress archives to ProgramData or AppData during installation (e.g., Chocolatey, Ninite, enterprise software deployment tools)
IT administrators or developers using 7-Zip or WinRAR via scripts to deploy or stage software packages to standard paths
Security tools or EDR agents that use PowerShell GZipStream for log compression or telemetry collection

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "devicehostname" AS hostname,
  "username" AS username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_file,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("Image") MATCHES '(7z|7za|7zr|winrar|unrar)\.exe'
         AND LOWER("CommandLine") MATCHES '( x | e | t )'
         AND LOWER("CommandLine") MATCHES '(\\temp|appdata|programdata|public)'
      THEN 'archive_extraction_to_staging'
    WHEN LOWER("Image") MATCHES 'powershell\.exe'
         AND "CommandLine" IMATCHES '(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory)'
      THEN 'powershell_decompress_or_extract'
    WHEN LOWER("TargetFilename") MATCHES '\.(zip|rar|7z|gz|tar)$'
         AND LOWER("TargetFilename") MATCHES '(downloads|temp|appdata)'
         AND LOWER("Image") IMATCHES '(outlook|thunderbird|chrome|msedge|firefox)\.exe'
      THEN 'archive_delivered_via_email_browser'
    WHEN LOWER("TargetFilename") MATCHES '\.zip$'
         AND LOWER("Image") IMATCHES '(7z|winrar|unrar)\.exe'
      THEN 'nested_archive_extracted'
    ELSE 'unknown'
  END AS detection_type,
  CASE
    WHEN "CommandLine" IMATCHES '(GZipStream|DeflateStream|IO\.Compression)' THEN 80
    WHEN LOWER("TargetFilename") MATCHES '\.zip$' AND LOWER("Image") IMATCHES '(7z|winrar)\.exe' THEN 65
    WHEN LOWER("Image") IMATCHES '(7z|7za|winrar|unrar)\.exe' AND LOWER("CommandLine") MATCHES '(temp|appdata)' THEN 60
    WHEN LOWER("TargetFilename") MATCHES '(downloads|temp|appdata)' AND LOWER("Image") IMATCHES '(outlook|chrome)\.exe' THEN 55
    ELSE 50
  END AS risk_score
FROM events
WHERE LOGSOURCETYPEID IN (12, 67, 90)
  AND QIDNAME(qid) IN ('Process Creation', 'File Created', 'Sysmon')
  AND (
    (LOWER("Image") MATCHES '(7z|7za|7zr|winrar|unrar)\.exe'
     AND LOWER("CommandLine") MATCHES '( x | e | t )'
     AND LOWER("CommandLine") MATCHES '(\\temp|appdata|programdata|public)')
    OR (LOWER("Image") MATCHES 'powershell\.exe'
        AND "CommandLine" IMATCHES '(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory)')
    OR (LOWER("TargetFilename") MATCHES '\.(zip|rar|7z|gz|tar)$'
        AND LOWER("TargetFilename") MATCHES '(downloads|temp|appdata)'
        AND LOWER("Image") IMATCHES '(outlook|thunderbird|chrome|msedge|firefox)\.exe')
  )
ORDER BY risk_score DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

IBM QRadar with Sysmon DSM Windows Security Event Log DSM QRadar Endpoint Detection

Required Tables

events

False Positives

Enterprise software deployment systems (SCCM, Intune, Ansible) that routinely extract archives to ProgramData or AppData during managed software rollout
Developer workstations where build pipelines download and extract dependency archives to temp directories as part of normal CI/CD activity
Backup and archival agents that periodically compress and decompress data using PowerShell IO.Compression classes for cloud backup

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as computer nodrop
| where event_id in ("1", "11")
| where (
    (
      event_id = "1"
      AND matches(toLowerCase(image), ".*(7z|7za|7zr|winrar|unrar)\.exe.*")
      AND (matches(toLowerCase(command_line), ".* x .*") OR matches(toLowerCase(command_line), ".* e .*"))
      AND matches(toLowerCase(command_line), ".*(\\temp|appdata|programdata|public).*")
    )
    OR (
      event_id = "1"
      AND matches(toLowerCase(image), ".*powershell\.exe.*")
      AND (
        matches(command_line, "(?i).*(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory).*")
      )
    )
    OR (
      event_id = "11"
      AND matches(toLowerCase(target_filename), ".*\.(zip|rar|7z|gz|tar)$")
      AND matches(toLowerCase(target_filename), ".*(downloads|temp|appdata).*")
      AND matches(toLowerCase(image), ".*(outlook|thunderbird|chrome|msedge|firefox)\.exe.*")
    )
    OR (
      event_id = "11"
      AND matches(toLowerCase(target_filename), ".*\.zip$")
      AND matches(toLowerCase(image), ".*(7z|winrar|unrar)\.exe.*")
    )
  )
| eval detection_type = if(
    event_id = "1" AND matches(toLowerCase(image), ".*(7z|7za|7zr|winrar|unrar)\.exe.*"),
    "archive_extraction_to_staging",
    if(
      event_id = "1" AND matches(toLowerCase(image), ".*powershell\.exe.*"),
      "powershell_decompress",
      if(
        event_id = "11" AND matches(toLowerCase(image), ".*(7z|winrar)\.exe.*") AND matches(toLowerCase(target_filename), ".*\.zip$"),
        "nested_archive_extracted",
        "archive_delivered_via_email_browser"
      )
    )
  )
| eval risk_score = if(detection_type = "powershell_decompress", 80,
    if(detection_type = "nested_archive_extracted", 65,
    if(detection_type = "archive_extraction_to_staging", 60,
    55)))
| fields _messagetime, computer, detection_type, risk_score, image, command_line, target_filename, parent_image
| sort by risk_score desc

medium severity medium confidence

Data Sources

Sumo Logic Installed Collector with Sysmon source Windows Event Log via Sumo Logic Agent

Required Tables

windows/sysmon windows/security

False Positives

Automated patch management or software packaging tools (e.g., PDQ Deploy, Chocolatey) that extract archives to AppData or ProgramData as part of legitimate software updates
Data science or development environments that use PowerShell compression libraries to process datasets or build artifacts in temp directories
Security scanning tools such as antivirus or vulnerability scanners that open and inspect archive files retrieved via browsers from known-safe repositories

Google Chronicle / SecOps

yaral

rule t1027_015_compression_suspicious_extraction {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious archive extraction to staging paths, PowerShell decompression, and archive delivery via browser or email — T1027.015 Obfuscated Files: Compression"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.015"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      // Archive tool extracting to suspicious staging paths
      (
        re.regex($e.target.process.file.full_path, `(?i)(7z|7za|7zr|winrar|unrar)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)( x | e | t )`)
        and re.regex($e.target.process.command_line, `(?i)(\\Temp\\|AppData|ProgramData|Users\\Public)`)
      )
      or
      // PowerShell GZip/Deflate in-memory decompress
      (
        re.regex($e.target.process.file.full_path, `(?i)powershell\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(GZipStream|DeflateStream|IO\.Compression|System\.IO\.Compression)`)
      )
      or
      // PowerShell Expand-Archive to staging path
      (
        re.regex($e.target.process.file.full_path, `(?i)powershell\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(Expand-Archive|ExtractToDirectory|Extract\(\))`)
        and re.regex($e.target.process.command_line, `(?i)(\\Temp\\|AppData|ProgramData)`)
      )
    )

  condition:
    $e
}

rule t1027_015_archive_delivered_browser_email {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects archive files created in download/temp paths by browser or email client processes — T1027.015"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.015"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.hostname = $hostname

    re.regex($e.target.file.full_path, `(?i)\.(zip|rar|7z|gz|tar)$`)
    and re.regex($e.target.file.full_path, `(?i)(Downloads|Temp|AppData)`)
    and re.regex($e.principal.process.file.full_path, `(?i)(outlook|thunderbird|chrome|msedge|firefox|iexplore)\.exe$`)

  condition:
    $e
}

rule t1027_015_sfx_exec_chain {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects self-extracting archive execution spawning cmd/powershell from download/temp paths — T1027.015"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.015"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // First: EXE launched from user-accessible path by browser or explorer
    $launch.metadata.event_type = "PROCESS_LAUNCH"
    $launch.principal.hostname = $hostname
    re.regex($launch.principal.process.file.full_path, `(?i)(explorer|outlook|chrome|msedge|firefox)\.exe$`)
    re.regex($launch.target.process.file.full_path, `(?i)(Downloads|Temp|Desktop|AppData).*\.exe$`)
    $launch.target.process.pid = $parent_pid

    // Second: spawned shell process from same parent
    $shell.metadata.event_type = "PROCESS_LAUNCH"
    $shell.principal.hostname = $hostname
    $shell.principal.process.pid = $parent_pid
    re.regex($shell.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$`)

  match:
    $hostname over 2m

  condition:
    $launch and $shell
}

medium severity medium confidence

Data Sources

Chronicle SIEM with Windows Event Forwarding Chronicle Endpoint Telemetry (UDM) Google Workspace / Chronicle with Sysmon forwarder

Required Tables

PROCESS_LAUNCH UDM events FILE_CREATION UDM events

False Positives

Legitimate enterprise application packaging tools (e.g., NSIS, Inno Setup installers) that create self-extracting EXEs and spawn cmd.exe for post-install scripts — will trigger the SFX chain rule
Browser extensions or download managers that extract ZIP files automatically to the Downloads folder as part of their normal operation
IT automation scripts using PowerShell Expand-Archive to deploy configuration files or application packages to standard Windows directories

CrowdStrike LogScale (CQL)

cql

// T1027.015 - Compression: Archive extraction to staging, PowerShell decompression, SFX execution

// Detection 1: Archive tool extracting to suspicious staging paths
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)(7z|7za|7zr|winrar|unrar)\.exe$/
| CommandLine=/(?: x | e | t )/i
| CommandLine=/(?i)(\\Temp\\|AppData|ProgramData|Users\\Public)/
| eval detection_type="archive_extraction_to_staging"
| eval risk_score=60
| fields timestamp, ComputerName, UserName, detection_type, risk_score, ImageFileName, CommandLine, ParentBaseFileName, TargetProcessId

// Detection 2: PowerShell in-memory decompression
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)powershell\.exe$/
| CommandLine=/(?i)(GZipStream|DeflateStream|IO\.Compression|System\.IO\.Compression|Expand-Archive|ExtractToDirectory)/
| eval detection_type="powershell_decompress_or_extract"
| eval risk_score=80
| fields timestamp, ComputerName, UserName, detection_type, risk_score, ImageFileName, CommandLine, ParentBaseFileName

// Detection 3: Archive file written to staging path by browser or email client
#event_simpleName=NewExecutableWritten OR #event_simpleName=NewScriptWritten
| TargetFileName=/(?i)\.(zip|rar|7z|gz|tar)$/
| TargetFileName=/(?i)(Downloads|Temp|AppData)/
| ImageFileName=/(?i)(outlook|thunderbird|chrome|msedge|firefox|iexplore)\.exe$/
| eval detection_type="archive_delivered_via_email_browser"
| eval risk_score=55
| fields timestamp, ComputerName, UserName, detection_type, risk_score, ImageFileName, TargetFileName

// Unified summary with groupBy for analyst triage
// Run each detection block separately or union with append in Investigate
// Aggregate view:
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)(7z|7za|7zr|winrar|unrar|powershell)\.exe$/
| CommandLine=/(?i)(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory| x | e | t )/
| CommandLine=/(?i)(\\Temp\\|AppData|ProgramData|Users\\Public)/
| groupBy([ComputerName, ImageFileName, #event_simpleName], function=[count(as=event_count), collect(CommandLine, limit=5)])
| sort(event_count, order=desc)
| limit 200

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) Falcon Data Replicator Falcon LogScale (Humio)

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=NewExecutableWritten #event_simpleName=NewScriptWritten

False Positives

Software deployment pipelines or MDM tools that invoke 7z.exe or WinRAR with extraction flags targeting AppData or ProgramData as part of legitimate package delivery workflows
DevOps or developer workstations where PowerShell scripts routinely use IO.Compression or Expand-Archive to unpack build artifacts or NuGet packages into local temp directories
Security incident response toolkits or forensics agents (e.g., Velociraptor, KAPE) that use archive tools to collect and stage evidence, triggering archive-to-staging signatures

Compression

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections