T1027.015 Elastic Security · Elastic

Detect Compression in Elastic Security

Adversaries compress payloads using ZIP, gzip, 7z, RAR, and other archive formats to obfuscate malicious content and evade detection. Key techniques include: nested archives (RAR inside ZIP as used by DarkWatchman), concatenated ZIP files where two ZIP central directories are merged into a single file (Perception Point research — some ZIP parsers like 7zip only read the first archive, missing the embedded malicious payload), self-extracting (SFX) archives that execute without requiring additional software, and in-memory compressed shellcode stored in registry keys (Pillowmint/FIN7). Groups include Gamaredon, Molerats, Higaisa, Leviathan, and BlackTech (Flagpro), as well as malware families RTM, Hancitor, StrelaStealer, SUNBURST, and SUNBURST.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.015 Compression
Canonical reference
https://attack.mitre.org/techniques/T1027/015/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=2m
  [process where event.type == "start" and (
    (process.name in~ ("7z.exe", "7za.exe", "7zr.exe", "winrar.exe", "unrar.exe") and
     process.args : ("x", "e", "t") and
     process.args : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*"))
    or
    (process.name : "powershell.exe" and
     process.command_line : ("*GZipStream*", "*DeflateStream*", "*IO.Compression*", "*Expand-Archive*", "*ExtractToDirectory*"))
  )]
  [process where event.type == "start" and
   process.parent.name in~ ("7z.exe", "7za.exe", "winrar.exe", "powershell.exe") and
   process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")]

sequence by host.id with maxspan=30s
  [file where event.type == "creation" and
   file.extension in~ ("zip", "rar", "7z", "gz", "tar") and
   file.path : ("*\\Downloads\\*", "*\\Temp\\*", "*\\AppData\\*") and
   process.name in~ ("outlook.exe", "thunderbird.exe", "chrome.exe", "msedge.exe", "firefox.exe")]
  [process where event.type == "start" and
   process.name in~ ("7z.exe", "7za.exe", "winrar.exe", "unrar.exe")]
medium severity medium confidence

Detects suspicious archive extraction to staging paths, PowerShell in-memory decompression, and archive delivery via email/browser clients followed by extraction tool execution. Covers nested archive delivery patterns and self-extracting archive execution chains.

Data Sources

Elastic EndpointWinlogbeat with SysmonElastic Agent

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Legitimate software installers and update mechanisms that decompress archives to ProgramData or AppData during installation (e.g., Chocolatey, Ninite, enterprise software deployment tools)
  • IT administrators or developers using 7-Zip or WinRAR via scripts to deploy or stage software packages to standard paths
  • Security tools or EDR agents that use PowerShell GZipStream for log compression or telemetry collection
Download portable Sigma rule (.yml)

Other platforms for T1027.015

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Extract Archive to Staging Directory using 7-Zip

    Expected signal: Sysmon EventCode 1 for 7z.exe with 'x' and output directory containing 'Temp' in CommandLine. EventCode 11 for ZIP creation and extracted file creation in %TEMP%.

  2. Test 2PowerShell In-Memory GZip Decompression (Pillowmint Registry Pattern)

    Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 captures GZipStream usage and Invoke-Expression on decompressed content.

  3. Test 3Nested Archive Delivery Simulation (DarkWatchman Pattern)

    Expected signal: Sysmon EventCode 11 for inner_archive.zip and outer_delivery.zip creation by powershell.exe in %TEMP%. EventCode 1 for powershell.exe with ZipFile.CreateFromDirectory in CommandLine.

  4. Test 4Expand-Archive to AppData Staging Location

    Expected signal: Sysmon EventCode 1 for powershell.exe with 'Expand-Archive' and AppData path in CommandLine. EventCode 11 for the extracted .ps1 file creation in %APPDATA%.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1027.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections