Detect Compression in Sumo Logic CSE
Adversaries compress payloads using ZIP, gzip, 7z, RAR, and other archive formats to obfuscate malicious content and evade detection. Key techniques include: nested archives (RAR inside ZIP as used by DarkWatchman), concatenated ZIP files where two ZIP central directories are merged into a single file (Perception Point research — some ZIP parsers like 7zip only read the first archive, missing the embedded malicious payload), self-extracting (SFX) archives that execute without requiring additional software, and in-memory compressed shellcode stored in registry keys (Pillowmint/FIN7). Groups include Gamaredon, Molerats, Higaisa, Leviathan, and BlackTech (Flagpro), as well as malware families RTM, Hancitor, StrelaStealer, SUNBURST, and SUNBURST.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.015 Compression
- Canonical reference
- https://attack.mitre.org/techniques/T1027/015/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as computer nodrop
| where event_id in ("1", "11")
| where (
(
event_id = "1"
AND matches(toLowerCase(image), ".*(7z|7za|7zr|winrar|unrar)\.exe.*")
AND (matches(toLowerCase(command_line), ".* x .*") OR matches(toLowerCase(command_line), ".* e .*"))
AND matches(toLowerCase(command_line), ".*(\\temp|appdata|programdata|public).*")
)
OR (
event_id = "1"
AND matches(toLowerCase(image), ".*powershell\.exe.*")
AND (
matches(command_line, "(?i).*(GZipStream|DeflateStream|IO\.Compression|Expand-Archive|ExtractToDirectory).*")
)
)
OR (
event_id = "11"
AND matches(toLowerCase(target_filename), ".*\.(zip|rar|7z|gz|tar)$")
AND matches(toLowerCase(target_filename), ".*(downloads|temp|appdata).*")
AND matches(toLowerCase(image), ".*(outlook|thunderbird|chrome|msedge|firefox)\.exe.*")
)
OR (
event_id = "11"
AND matches(toLowerCase(target_filename), ".*\.zip$")
AND matches(toLowerCase(image), ".*(7z|winrar|unrar)\.exe.*")
)
)
| eval detection_type = if(
event_id = "1" AND matches(toLowerCase(image), ".*(7z|7za|7zr|winrar|unrar)\.exe.*"),
"archive_extraction_to_staging",
if(
event_id = "1" AND matches(toLowerCase(image), ".*powershell\.exe.*"),
"powershell_decompress",
if(
event_id = "11" AND matches(toLowerCase(image), ".*(7z|winrar)\.exe.*") AND matches(toLowerCase(target_filename), ".*\.zip$"),
"nested_archive_extracted",
"archive_delivered_via_email_browser"
)
)
)
| eval risk_score = if(detection_type = "powershell_decompress", 80,
if(detection_type = "nested_archive_extracted", 65,
if(detection_type = "archive_extraction_to_staging", 60,
55)))
| fields _messagetime, computer, detection_type, risk_score, image, command_line, target_filename, parent_image
| sort by risk_score descSumo Logic query detecting archive extraction staging, PowerShell decompression, and archive delivery via email/browser using Sysmon Event IDs 1 and 11. Parses XML Sysmon logs directly and assigns risk scores per detection type.
Data Sources
Required Tables
False Positives & Tuning
- Automated patch management or software packaging tools (e.g., PDQ Deploy, Chocolatey) that extract archives to AppData or ProgramData as part of legitimate software updates
- Data science or development environments that use PowerShell compression libraries to process datasets or build artifacts in temp directories
- Security scanning tools such as antivirus or vulnerability scanners that open and inspect archive files retrieved via browsers from known-safe repositories
Other platforms for T1027.015
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Extract Archive to Staging Directory using 7-Zip
Expected signal: Sysmon EventCode 1 for 7z.exe with 'x' and output directory containing 'Temp' in CommandLine. EventCode 11 for ZIP creation and extracted file creation in %TEMP%.
- Test 2PowerShell In-Memory GZip Decompression (Pillowmint Registry Pattern)
Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 captures GZipStream usage and Invoke-Expression on decompressed content.
- Test 3Nested Archive Delivery Simulation (DarkWatchman Pattern)
Expected signal: Sysmon EventCode 11 for inner_archive.zip and outer_delivery.zip creation by powershell.exe in %TEMP%. EventCode 1 for powershell.exe with ZipFile.CreateFromDirectory in CommandLine.
- Test 4Expand-Archive to AppData Staging Location
Expected signal: Sysmon EventCode 1 for powershell.exe with 'Expand-Archive' and AppData path in CommandLine. EventCode 11 for the extracted .ps1 file creation in %APPDATA%.
References (7)
- https://attack.mitre.org/techniques/T1027/015
- https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
- https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech
- https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://blog.talosintelligence.com/cisco-talos-gamaredon-group-adversary/
Unlock Pro Content
Get the full detection package for T1027.015 including response playbook, investigation guide, and atomic red team tests.