Detect Compression in Microsoft Sentinel
Adversaries compress payloads using ZIP, gzip, 7z, RAR, and other archive formats to obfuscate malicious content and evade detection. Key techniques include: nested archives (RAR inside ZIP as used by DarkWatchman), concatenated ZIP files where two ZIP central directories are merged into a single file (Perception Point research — some ZIP parsers like 7zip only read the first archive, missing the embedded malicious payload), self-extracting (SFX) archives that execute without requiring additional software, and in-memory compressed shellcode stored in registry keys (Pillowmint/FIN7). Groups include Gamaredon, Molerats, Higaisa, Leviathan, and BlackTech (Flagpro), as well as malware families RTM, Hancitor, StrelaStealer, SUNBURST, and SUNBURST.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.015 Compression
- Canonical reference
- https://attack.mitre.org/techniques/T1027/015/
KQL Detection Query
// T1027.015 - Compression
// Detect suspicious archive extraction patterns, SFX execution, and nested archive delivery
let SuspiciousExtraction = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where (
// 7zip / WinRAR extracting to suspicious staging paths
(FileName in~ ("7z.exe", "7za.exe", "7zr.exe", "winrar.exe", "unrar.exe")
and ProcessCommandLine has_any ("x ", "e ", "t ")
and ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Users\\Public\\")
)
// PowerShell GZip/Deflate decompress pattern
or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("GZipStream", "DeflateStream", "IO.Compression", "System.IO.Compression"))
// Expand-Archive extracting to temp/staging location
or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Expand-Archive", "Extract()", "ExtractToDirectory")
and ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\ProgramData\\"))
)
| extend DetectionType = case(
FileName in~ ("7z.exe", "7za.exe", "7zr.exe", "winrar.exe", "unrar.exe"), "archive_tool_extraction_staging",
ProcessCommandLine has_any ("GZipStream", "DeflateStream"), "powershell_memory_decompress",
"powershell_extract_archive_staging"
);
let SelfExtractingArchive = DeviceProcessEvents
| where ActionType == "ProcessCreated"
// SFX archives: executable file that extracts and runs content without external tools
| where FileName endswith ".exe"
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\Desktop\\", "\\AppData\\", "\\Users\\Public\\")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "winword.exe", "excel.exe", "chrome.exe", "msedge.exe", "firefox.exe")
// SFX processes often spawn cmd.exe or powershell.exe immediately after extraction
| join kind=inner (
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
| where InitiatingProcessFolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\")
) on DeviceId
| extend DetectionType = "self_extracting_archive_exec";
let NestedArchiveDelivery = DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\")
// High-risk parent process: email client or browser downloading the archive
| where InitiatingProcessFileName in~ ("outlook.exe", "thunderbird.exe", "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe")
| extend DetectionType = "archive_via_email_or_browser";
SuspiciousExtraction
| union SelfExtractingArchive
| union NestedArchiveDelivery
| project-reorder Timestamp, DeviceName, DetectionType, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileNameThree detection layers: archive tool (7z/WinRAR) extraction to staging paths, PowerShell in-memory decompression (GZipStream/DeflateStream), and SFX archive execution from user-writable directories. Nested archive detection covers email/browser delivery of ZIP/RAR/7z files. Very high FP rate expected — tune on staging directory paths and require additional context (suspicious parent process, followed by execution of extracted content).
Other platforms for T1027.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Extract Archive to Staging Directory using 7-Zip
Expected signal: Sysmon EventCode 1 for 7z.exe with 'x' and output directory containing 'Temp' in CommandLine. EventCode 11 for ZIP creation and extracted file creation in %TEMP%.
- Test 2PowerShell In-Memory GZip Decompression (Pillowmint Registry Pattern)
Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 captures GZipStream usage and Invoke-Expression on decompressed content.
- Test 3Nested Archive Delivery Simulation (DarkWatchman Pattern)
Expected signal: Sysmon EventCode 11 for inner_archive.zip and outer_delivery.zip creation by powershell.exe in %TEMP%. EventCode 1 for powershell.exe with ZipFile.CreateFromDirectory in CommandLine.
- Test 4Expand-Archive to AppData Staging Location
Expected signal: Sysmon EventCode 1 for powershell.exe with 'Expand-Archive' and AppData path in CommandLine. EventCode 11 for the extracted .ps1 file creation in %APPDATA%.
References (7)
- https://attack.mitre.org/techniques/T1027/015
- https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
- https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech
- https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://blog.talosintelligence.com/cisco-talos-gamaredon-group-adversary/
Unlock Pro Content
Get the full detection package for T1027.015 including response playbook, investigation guide, and atomic red team tests.