Detect Compression in CrowdStrike LogScale
Adversaries compress payloads using ZIP, gzip, 7z, RAR, and other archive formats to obfuscate malicious content and evade detection. Key techniques include: nested archives (RAR inside ZIP as used by DarkWatchman), concatenated ZIP files where two ZIP central directories are merged into a single file (Perception Point research — some ZIP parsers like 7zip only read the first archive, missing the embedded malicious payload), self-extracting (SFX) archives that execute without requiring additional software, and in-memory compressed shellcode stored in registry keys (Pillowmint/FIN7). Groups include Gamaredon, Molerats, Higaisa, Leviathan, and BlackTech (Flagpro), as well as malware families RTM, Hancitor, StrelaStealer, SUNBURST, and SUNBURST.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.015 Compression
- Canonical reference
- https://attack.mitre.org/techniques/T1027/015/
LogScale Detection Query
// T1027.015 - Compression: Archive extraction to staging, PowerShell decompression, SFX execution
// Detection 1: Archive tool extracting to suspicious staging paths
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)(7z|7za|7zr|winrar|unrar)\.exe$/
| CommandLine=/(?: x | e | t )/i
| CommandLine=/(?i)(\\Temp\\|AppData|ProgramData|Users\\Public)/
| eval detection_type="archive_extraction_to_staging"
| eval risk_score=60
| fields timestamp, ComputerName, UserName, detection_type, risk_score, ImageFileName, CommandLine, ParentBaseFileName, TargetProcessId
// Detection 2: PowerShell in-memory decompression
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)powershell\.exe$/
| CommandLine=/(?i)(GZipStream|DeflateStream|IO\.Compression|System\.IO\.Compression|Expand-Archive|ExtractToDirectory)/
| eval detection_type="powershell_decompress_or_extract"
| eval risk_score=80
| fields timestamp, ComputerName, UserName, detection_type, risk_score, ImageFileName, CommandLine, ParentBaseFileName
// Detection 3: Archive file written to staging path by browser or email client
#event_simpleName=NewExecutableWritten OR #event_simpleName=NewScriptWritten
| TargetFileName=/(?i)\.(zip|rar|7z|gz|tar)$/
| TargetFileName=/(?i)(Downloads|Temp|AppData)/
| ImageFileName=/(?i)(outlook|thunderbird|chrome|msedge|firefox|iexplore)\.exe$/
| eval detection_type="archive_delivered_via_email_browser"
| eval risk_score=55
| fields timestamp, ComputerName, UserName, detection_type, risk_score, ImageFileName, TargetFileName
// Unified summary with groupBy for analyst triage
// Run each detection block separately or union with append in Investigate
// Aggregate view:
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)(7z|7za|7zr|winrar|unrar|powershell)\.exe$/
| CommandLine=/(?i)(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory| x | e | t )/
| CommandLine=/(?i)(\\Temp\\|AppData|ProgramData|Users\\Public)/
| groupBy([ComputerName, ImageFileName, #event_simpleName], function=[count(as=event_count), collect(CommandLine, limit=5)])
| sort(event_count, order=desc)
| limit 200CrowdStrike LogScale (Falcon) queries using ProcessRollup2 and file write events to detect archive tool extraction to staging paths, PowerShell in-memory decompression patterns, and archive delivery via browser/email. Includes an aggregation view for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment pipelines or MDM tools that invoke 7z.exe or WinRAR with extraction flags targeting AppData or ProgramData as part of legitimate package delivery workflows
- DevOps or developer workstations where PowerShell scripts routinely use IO.Compression or Expand-Archive to unpack build artifacts or NuGet packages into local temp directories
- Security incident response toolkits or forensics agents (e.g., Velociraptor, KAPE) that use archive tools to collect and stage evidence, triggering archive-to-staging signatures
Other platforms for T1027.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Extract Archive to Staging Directory using 7-Zip
Expected signal: Sysmon EventCode 1 for 7z.exe with 'x' and output directory containing 'Temp' in CommandLine. EventCode 11 for ZIP creation and extracted file creation in %TEMP%.
- Test 2PowerShell In-Memory GZip Decompression (Pillowmint Registry Pattern)
Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 captures GZipStream usage and Invoke-Expression on decompressed content.
- Test 3Nested Archive Delivery Simulation (DarkWatchman Pattern)
Expected signal: Sysmon EventCode 11 for inner_archive.zip and outer_delivery.zip creation by powershell.exe in %TEMP%. EventCode 1 for powershell.exe with ZipFile.CreateFromDirectory in CommandLine.
- Test 4Expand-Archive to AppData Staging Location
Expected signal: Sysmon EventCode 1 for powershell.exe with 'Expand-Archive' and AppData path in CommandLine. EventCode 11 for the extracted .ps1 file creation in %APPDATA%.
References (7)
- https://attack.mitre.org/techniques/T1027/015
- https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
- https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech
- https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://blog.talosintelligence.com/cisco-talos-gamaredon-group-adversary/
Unlock Pro Content
Get the full detection package for T1027.015 including response playbook, investigation guide, and atomic red team tests.