T1027.015 Google Chronicle · YARA-L

Detect Compression in Google Chronicle

Adversaries compress payloads using ZIP, gzip, 7z, RAR, and other archive formats to obfuscate malicious content and evade detection. Key techniques include: nested archives (RAR inside ZIP as used by DarkWatchman), concatenated ZIP files where two ZIP central directories are merged into a single file (Perception Point research — some ZIP parsers like 7zip only read the first archive, missing the embedded malicious payload), self-extracting (SFX) archives that execute without requiring additional software, and in-memory compressed shellcode stored in registry keys (Pillowmint/FIN7). Groups include Gamaredon, Molerats, Higaisa, Leviathan, and BlackTech (Flagpro), as well as malware families RTM, Hancitor, StrelaStealer, SUNBURST, and SUNBURST.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.015 Compression
Canonical reference
https://attack.mitre.org/techniques/T1027/015/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1027_015_compression_suspicious_extraction {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious archive extraction to staging paths, PowerShell decompression, and archive delivery via browser or email — T1027.015 Obfuscated Files: Compression"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.015"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      // Archive tool extracting to suspicious staging paths
      (
        re.regex($e.target.process.file.full_path, `(?i)(7z|7za|7zr|winrar|unrar)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)( x | e | t )`)
        and re.regex($e.target.process.command_line, `(?i)(\\Temp\\|AppData|ProgramData|Users\\Public)`)
      )
      or
      // PowerShell GZip/Deflate in-memory decompress
      (
        re.regex($e.target.process.file.full_path, `(?i)powershell\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(GZipStream|DeflateStream|IO\.Compression|System\.IO\.Compression)`)
      )
      or
      // PowerShell Expand-Archive to staging path
      (
        re.regex($e.target.process.file.full_path, `(?i)powershell\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(Expand-Archive|ExtractToDirectory|Extract\(\))`)
        and re.regex($e.target.process.command_line, `(?i)(\\Temp\\|AppData|ProgramData)`)
      )
    )

  condition:
    $e
}

rule t1027_015_archive_delivered_browser_email {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects archive files created in download/temp paths by browser or email client processes — T1027.015"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.015"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.hostname = $hostname

    re.regex($e.target.file.full_path, `(?i)\.(zip|rar|7z|gz|tar)$`)
    and re.regex($e.target.file.full_path, `(?i)(Downloads|Temp|AppData)`)
    and re.regex($e.principal.process.file.full_path, `(?i)(outlook|thunderbird|chrome|msedge|firefox|iexplore)\.exe$`)

  condition:
    $e
}

rule t1027_015_sfx_exec_chain {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects self-extracting archive execution spawning cmd/powershell from download/temp paths — T1027.015"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.015"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // First: EXE launched from user-accessible path by browser or explorer
    $launch.metadata.event_type = "PROCESS_LAUNCH"
    $launch.principal.hostname = $hostname
    re.regex($launch.principal.process.file.full_path, `(?i)(explorer|outlook|chrome|msedge|firefox)\.exe$`)
    re.regex($launch.target.process.file.full_path, `(?i)(Downloads|Temp|Desktop|AppData).*\.exe$`)
    $launch.target.process.pid = $parent_pid

    // Second: spawned shell process from same parent
    $shell.metadata.event_type = "PROCESS_LAUNCH"
    $shell.principal.hostname = $hostname
    $shell.principal.process.pid = $parent_pid
    re.regex($shell.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$`)

  match:
    $hostname over 2m

  condition:
    $launch and $shell
}
medium severity medium confidence

Three Chronicle YARA-L 2.0 rules covering: (1) archive tool or PowerShell extraction to staging directories, (2) archive file delivery via browser/email client, and (3) self-extracting archive execution chains spawning shell processes. Uses UDM process and file event types.

Data Sources

Chronicle SIEM with Windows Event ForwardingChronicle Endpoint Telemetry (UDM)Google Workspace / Chronicle with Sysmon forwarder

Required Tables

PROCESS_LAUNCH UDM eventsFILE_CREATION UDM events

False Positives & Tuning

  • Legitimate enterprise application packaging tools (e.g., NSIS, Inno Setup installers) that create self-extracting EXEs and spawn cmd.exe for post-install scripts — will trigger the SFX chain rule
  • Browser extensions or download managers that extract ZIP files automatically to the Downloads folder as part of their normal operation
  • IT automation scripts using PowerShell Expand-Archive to deploy configuration files or application packages to standard Windows directories
Download portable Sigma rule (.yml)

Other platforms for T1027.015

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Extract Archive to Staging Directory using 7-Zip

    Expected signal: Sysmon EventCode 1 for 7z.exe with 'x' and output directory containing 'Temp' in CommandLine. EventCode 11 for ZIP creation and extracted file creation in %TEMP%.

  2. Test 2PowerShell In-Memory GZip Decompression (Pillowmint Registry Pattern)

    Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 captures GZipStream usage and Invoke-Expression on decompressed content.

  3. Test 3Nested Archive Delivery Simulation (DarkWatchman Pattern)

    Expected signal: Sysmon EventCode 11 for inner_archive.zip and outer_delivery.zip creation by powershell.exe in %TEMP%. EventCode 1 for powershell.exe with ZipFile.CreateFromDirectory in CommandLine.

  4. Test 4Expand-Archive to AppData Staging Location

    Expected signal: Sysmon EventCode 1 for powershell.exe with 'Expand-Archive' and AppData path in CommandLine. EventCode 11 for the extracted .ps1 file creation in %APPDATA%.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1027.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections