Detect Compression in IBM QRadar
Adversaries compress payloads using ZIP, gzip, 7z, RAR, and other archive formats to obfuscate malicious content and evade detection. Key techniques include: nested archives (RAR inside ZIP as used by DarkWatchman), concatenated ZIP files where two ZIP central directories are merged into a single file (Perception Point research — some ZIP parsers like 7zip only read the first archive, missing the embedded malicious payload), self-extracting (SFX) archives that execute without requiring additional software, and in-memory compressed shellcode stored in registry keys (Pillowmint/FIN7). Groups include Gamaredon, Molerats, Higaisa, Leviathan, and BlackTech (Flagpro), as well as malware families RTM, Hancitor, StrelaStealer, SUNBURST, and SUNBURST.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.015 Compression
- Canonical reference
- https://attack.mitre.org/techniques/T1027/015/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"devicehostname" AS hostname,
"username" AS username,
"Image" AS process_image,
"CommandLine" AS command_line,
"TargetFilename" AS target_file,
"ParentImage" AS parent_image,
CASE
WHEN LOWER("Image") MATCHES '(7z|7za|7zr|winrar|unrar)\.exe'
AND LOWER("CommandLine") MATCHES '( x | e | t )'
AND LOWER("CommandLine") MATCHES '(\\temp|appdata|programdata|public)'
THEN 'archive_extraction_to_staging'
WHEN LOWER("Image") MATCHES 'powershell\.exe'
AND "CommandLine" IMATCHES '(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory)'
THEN 'powershell_decompress_or_extract'
WHEN LOWER("TargetFilename") MATCHES '\.(zip|rar|7z|gz|tar)$'
AND LOWER("TargetFilename") MATCHES '(downloads|temp|appdata)'
AND LOWER("Image") IMATCHES '(outlook|thunderbird|chrome|msedge|firefox)\.exe'
THEN 'archive_delivered_via_email_browser'
WHEN LOWER("TargetFilename") MATCHES '\.zip$'
AND LOWER("Image") IMATCHES '(7z|winrar|unrar)\.exe'
THEN 'nested_archive_extracted'
ELSE 'unknown'
END AS detection_type,
CASE
WHEN "CommandLine" IMATCHES '(GZipStream|DeflateStream|IO\.Compression)' THEN 80
WHEN LOWER("TargetFilename") MATCHES '\.zip$' AND LOWER("Image") IMATCHES '(7z|winrar)\.exe' THEN 65
WHEN LOWER("Image") IMATCHES '(7z|7za|winrar|unrar)\.exe' AND LOWER("CommandLine") MATCHES '(temp|appdata)' THEN 60
WHEN LOWER("TargetFilename") MATCHES '(downloads|temp|appdata)' AND LOWER("Image") IMATCHES '(outlook|chrome)\.exe' THEN 55
ELSE 50
END AS risk_score
FROM events
WHERE LOGSOURCETYPEID IN (12, 67, 90)
AND QIDNAME(qid) IN ('Process Creation', 'File Created', 'Sysmon')
AND (
(LOWER("Image") MATCHES '(7z|7za|7zr|winrar|unrar)\.exe'
AND LOWER("CommandLine") MATCHES '( x | e | t )'
AND LOWER("CommandLine") MATCHES '(\\temp|appdata|programdata|public)')
OR (LOWER("Image") MATCHES 'powershell\.exe'
AND "CommandLine" IMATCHES '(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory)')
OR (LOWER("TargetFilename") MATCHES '\.(zip|rar|7z|gz|tar)$'
AND LOWER("TargetFilename") MATCHES '(downloads|temp|appdata)'
AND LOWER("Image") IMATCHES '(outlook|thunderbird|chrome|msedge|firefox)\.exe')
)
ORDER BY risk_score DESC
LAST 24 HOURSAQL query for QRadar detecting archive extraction to staging directories, PowerShell decompression patterns, and archive file delivery via browser or email client. Uses Sysmon log source type IDs for process creation (Event ID 1) and file creation (Event ID 11) events.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment systems (SCCM, Intune, Ansible) that routinely extract archives to ProgramData or AppData during managed software rollout
- Developer workstations where build pipelines download and extract dependency archives to temp directories as part of normal CI/CD activity
- Backup and archival agents that periodically compress and decompress data using PowerShell IO.Compression classes for cloud backup
Other platforms for T1027.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Extract Archive to Staging Directory using 7-Zip
Expected signal: Sysmon EventCode 1 for 7z.exe with 'x' and output directory containing 'Temp' in CommandLine. EventCode 11 for ZIP creation and extracted file creation in %TEMP%.
- Test 2PowerShell In-Memory GZip Decompression (Pillowmint Registry Pattern)
Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 captures GZipStream usage and Invoke-Expression on decompressed content.
- Test 3Nested Archive Delivery Simulation (DarkWatchman Pattern)
Expected signal: Sysmon EventCode 11 for inner_archive.zip and outer_delivery.zip creation by powershell.exe in %TEMP%. EventCode 1 for powershell.exe with ZipFile.CreateFromDirectory in CommandLine.
- Test 4Expand-Archive to AppData Staging Location
Expected signal: Sysmon EventCode 1 for powershell.exe with 'Expand-Archive' and AppData path in CommandLine. EventCode 11 for the extracted .ps1 file creation in %APPDATA%.
References (7)
- https://attack.mitre.org/techniques/T1027/015
- https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
- https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech
- https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://blog.talosintelligence.com/cisco-talos-gamaredon-group-adversary/
Unlock Pro Content
Get the full detection package for T1027.015 including response playbook, investigation guide, and atomic red team tests.