T1560.002

Archive via Library

Adversaries may compress or encrypt collected data prior to exfiltration using third-party or built-in programming libraries rather than standalone archival utilities. Libraries such as Python's zlib, bzip2, gzip, zipfile, and rarfile modules; .NET's System.IO.Compression (GZipStream, DeflateStream, ZipArchive); C libraries libzip and zlib; and platform-native libraries enable adversaries to compress and encrypt data programmatically within a running process. Because no separate archival utility process (7-Zip, WinRAR, tar) is spawned, this technique evades detections focused on command-line archivers. Malware families including TajMahal, LunarWeb, SeaDuke, BBSRAT, InvisiMole, and Denis have all used library-based compression to stage and exfiltrate collected data.

Microsoft Sentinel / Defender

kusto

let CompressionDlls = dynamic(["zlib.dll", "zlib1.dll", "zlibwapi.dll", "bzip2.dll", "libbzip2.dll", "libzip.dll", "minizip.dll"]);
let ScriptingInterpreters = dynamic(["python.exe", "python3.exe", "ruby.exe", "perl.exe", "node.exe", "java.exe", "javaw.exe", "wscript.exe", "cscript.exe", "mshta.exe"]);
let StagingPaths = dynamic(["\\Temp\\", "\\tmp\\", "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\", "\\ProgramData\\", "\\Users\\Public\\"]);
// Branch 1: Compression DLLs loaded by unexpected processes
let CompDllLoads =
    DeviceImageLoadEvents
    | where Timestamp > ago(24h)
    | where FileName in~ (CompressionDlls)
    | where not(FolderPath has_any ("C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\", "C:\\Program Files\\7-Zip\\", "C:\\Program Files (x86)\\7-Zip\\", "C:\\Program Files\\WinRAR\\"))
    | extend DetectionSource = "CompressionDllLoad"
    | project Timestamp, DeviceName, AccountName, DetectionSource,
              ProcessName = InitiatingProcessFileName,
              ProcessCmdLine = InitiatingProcessCommandLine,
              LibraryLoaded = FileName, LibraryPath = FolderPath,
              ParentProcess = InitiatingProcessParentFileName;
// Branch 2: PowerShell using .NET compression classes
let PSCompression =
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("powershell.exe", "pwsh.exe")
    | where ProcessCommandLine has_any (
        "IO.Compression", "GZipStream", "DeflateStream", "ZipFile", "ZipArchive",
        "BinaryWriter", "MemoryStream", "Compress", "System.IO.Compression",
        "ICSharpCode.SharpZipLib", "DotNetZip"
      )
    | extend DetectionSource = "PowerShellLibraryCompression"
    | project Timestamp, DeviceName, AccountName, DetectionSource,
              ProcessName = FileName,
              ProcessCmdLine = ProcessCommandLine,
              LibraryLoaded = "System.IO.Compression (in-process)", LibraryPath = "",
              ParentProcess = InitiatingProcessFileName;
// Branch 3: Python processes invoking compression library functions inline or via script args
let PythonCompression =
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("python.exe", "python3.exe", "python3.10.exe", "python3.11.exe", "python3.12.exe")
    | where ProcessCommandLine has_any (
        "import zlib", "import bz2", "import gzip", "import zipfile", "import rarfile",
        "import lzma", "import tarfile", "zlib.compress", "bz2.compress", "gzip.open",
        "zlib", "bzip2", "rarfile"
      )
    | extend DetectionSource = "PythonLibraryCompression"
    | project Timestamp, DeviceName, AccountName, DetectionSource,
              ProcessName = FileName,
              ProcessCmdLine = ProcessCommandLine,
              LibraryLoaded = "Python compression module", LibraryPath = "",
              ParentProcess = InitiatingProcessFileName;
// Branch 4: Compressed files written to staging paths by scripting interpreters
let StagedCompressedFiles =
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileCreated"
    | where FileName has_any (".gz", ".bz2", ".zlib", ".lz", ".lzma", ".xz")
    | where FolderPath has_any (StagingPaths)
    | where InitiatingProcessFileName in~ (ScriptingInterpreters)
    | extend DetectionSource = "StagedCompressedFileCreation"
    | project Timestamp, DeviceName, AccountName, DetectionSource,
              ProcessName = InitiatingProcessFileName,
              ProcessCmdLine = InitiatingProcessCommandLine,
              LibraryLoaded = "File artifact: " + FileName, LibraryPath = FolderPath,
              ParentProcess = InitiatingProcessParentFileName;
CompDllLoads
| union PSCompression
| union PythonCompression
| union StagedCompressedFiles
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Module: Module Load Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate Python data science or ETL pipelines that compress output files using zlib or gzip before writing to storage (Spark, Pandas, Airflow DAGs)
Software installers and update agents that use zlib/bzip2 for package decompression and compression during installation
PowerShell-based backup or log rotation scripts that use System.IO.Compression.GZipStream to compress old logs or create compressed archives
Developer workstations running build tools (Maven, Gradle, npm) that link against or load compression libraries during compilation and packaging
Monitoring and APM agents (Datadog, New Relic, Elastic APM) that compress telemetry payloads before sending to collection endpoints

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
   (ImageLoaded="*\\zlib.dll" OR ImageLoaded="*\\zlib1.dll" OR ImageLoaded="*\\zlibwapi.dll"
    OR ImageLoaded="*\\bzip2.dll" OR ImageLoaded="*\\libbzip2.dll" OR ImageLoaded="*\\libzip.dll")
   NOT (Image="*\\7z.exe" OR Image="*\\7zG.exe" OR Image="*\\WinRAR.exe" OR Image="*\\msiexec.exe")
   NOT (ImageLoaded="*\\System32\\*" OR ImageLoaded="*\\SysWOW64\\*"))
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
   (CommandLine="*IO.Compression*" OR CommandLine="*GZipStream*" OR CommandLine="*DeflateStream*"
    OR CommandLine="*ZipArchive*" OR CommandLine="*ZipFile*" OR CommandLine="*ICSharpCode*"))
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (Image="*\\python.exe" OR Image="*\\python3.exe")
   (CommandLine="*import zlib*" OR CommandLine="*import bz2*" OR CommandLine="*import gzip*"
    OR CommandLine="*import zipfile*" OR CommandLine="*import rarfile*" OR CommandLine="*zlib.compress*"
    OR CommandLine="*bz2.compress*" OR CommandLine="*import lzma*" OR CommandLine="*import tarfile*"))
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
   (TargetFilename="*.gz" OR TargetFilename="*.bz2" OR TargetFilename="*.zlib" OR TargetFilename="*.lzma" OR TargetFilename="*.xz")
   (TargetFilename="*\\Temp\\*" OR TargetFilename="*\\tmp\\*" OR TargetFilename="*\\AppData\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Users\\Public\\*")
   (Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\ruby.exe" OR Image="*\\perl.exe"
    OR Image="*\\node.exe" OR Image="*\\java.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe"))
)
| eval DetectionSource=case(
    EventCode=7, "CompressionDllLoad",
    EventCode=1 AND (match(Image, "powershell") OR match(Image, "pwsh")), "PowerShellLibraryCompression",
    EventCode=1 AND match(Image, "python"), "PythonLibraryCompression",
    EventCode=11, "StagedCompressedFileCreation",
    true(), "Unknown"
  )
| eval ProcessPath=coalesce(Image, "")
| eval CmdLine=coalesce(CommandLine, ParentCommandLine, "")
| eval Artifact=coalesce(ImageLoaded, TargetFilename, "")
| table _time, host, User, DetectionSource, ProcessPath, CmdLine, Artifact, ParentImage, ParentCommandLine
| sort - _time

medium severity medium confidence

Data Sources

Module: Module Load Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 7 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Python data science or ETL pipelines compressing output files using zlib or gzip
Software installers and package managers (pip, conda, npm) that load compression libraries during package installation
PowerShell-based backup or log archival scripts using System.IO.Compression.GZipStream
Developer IDEs and build tools (Maven, Gradle, PyCharm) loading compression libraries during build and packaging operations
Monitoring agents compressing telemetry payloads before transmission

Elastic Security (EQL)

eql

any where
  (
    event.category == "library" and
    dll.name in~ ("zlib.dll", "zlib1.dll", "zlibwapi.dll", "bzip2.dll", "libbzip2.dll", "libzip.dll", "minizip.dll") and
    not dll.path like~ "*System32*" and not dll.path like~ "*SysWOW64*" and
    not dll.path like~ "*7-Zip*" and not dll.path like~ "*WinRAR*" and
    not process.name in~ ("7z.exe", "7zG.exe", "WinRAR.exe", "msiexec.exe")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.name in~ ("powershell.exe", "pwsh.exe") and
    (
      process.command_line like~ "*IO.Compression*" or process.command_line like~ "*GZipStream*" or
      process.command_line like~ "*DeflateStream*" or process.command_line like~ "*ZipFile*" or
      process.command_line like~ "*ZipArchive*" or process.command_line like~ "*ICSharpCode*" or
      process.command_line like~ "*DotNetZip*"
    )
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.name in~ ("python.exe", "python3.exe") and
    (
      process.command_line like~ "*import zlib*" or process.command_line like~ "*import bz2*" or
      process.command_line like~ "*import gzip*" or process.command_line like~ "*import zipfile*" or
      process.command_line like~ "*import rarfile*" or process.command_line like~ "*zlib.compress*" or
      process.command_line like~ "*import lzma*" or process.command_line like~ "*import tarfile*"
    )
  ) or
  (
    event.category == "file" and event.type == "creation" and
    (file.name like~ "*.gz" or file.name like~ "*.bz2" or file.name like~ "*.zlib" or
     file.name like~ "*.lzma" or file.name like~ "*.xz" or file.name like~ "*.lz") and
    (file.path like~ "*\\Temp\\*" or file.path like~ "*\\AppData\\*" or
     file.path like~ "*\\ProgramData\\*" or file.path like~ "*\\Users\\Public\\*") and
    process.name in~ ("python.exe", "python3.exe", "ruby.exe", "perl.exe", "node.exe",
                      "java.exe", "javaw.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security (7.16+) Sysmon via Winlogbeat with ECS mapping Auditbeat (Linux coverage)

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Python-based build tools (pip, setuptools, conda) that import zlib or gzip during dependency installation with imports visible in process command-line arguments passed to interpreter scripts
PowerShell deployment automation used by IT administrators that invokes System.IO.Compression to package software bundles or configuration payloads before staging on endpoints
Electron or Java desktop applications that ship bundled compression DLLs (zlib.dll, libbzip2.dll) in application-local directories outside System32 and load them during normal startup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  sourceip AS HostIP,
  "Image" AS ProcessPath,
  "CommandLine" AS CmdLine,
  COALESCE("ImageLoaded", "TargetFilename", '') AS Artifact,
  "ParentImage" AS ParentProcess,
  CASE
    WHEN "EventCode" = '7' THEN 'CompressionDllLoad'
    WHEN "EventCode" = '1' AND (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') THEN 'PowerShellLibraryCompression'
    WHEN "EventCode" = '1' AND LOWER("Image") LIKE '%python%' THEN 'PythonLibraryCompression'
    WHEN "EventCode" = '11' THEN 'StagedCompressedFileCreation'
    ELSE 'Unknown'
  END AS DetectionSource
FROM events
WHERE
  devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND LOGSOURCETYPEID(logsourceid) IN (SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%')
  AND (
    (
      "EventCode" = '7'
      AND (
        LOWER("ImageLoaded") LIKE '%\\zlib.dll' OR LOWER("ImageLoaded") LIKE '%\\zlib1.dll'
        OR LOWER("ImageLoaded") LIKE '%\\zlibwapi.dll' OR LOWER("ImageLoaded") LIKE '%\\bzip2.dll'
        OR LOWER("ImageLoaded") LIKE '%\\libbzip2.dll' OR LOWER("ImageLoaded") LIKE '%\\libzip.dll'
        OR LOWER("ImageLoaded") LIKE '%\\minizip.dll'
      )
      AND LOWER("ImageLoaded") NOT LIKE '%\\system32\\%'
      AND LOWER("ImageLoaded") NOT LIKE '%\\syswow64\\%'
      AND LOWER("Image") NOT LIKE '%\\7z.exe'
      AND LOWER("Image") NOT LIKE '%\\winrar.exe'
      AND LOWER("Image") NOT LIKE '%\\msiexec.exe'
    )
    OR (
      "EventCode" = '1'
      AND (LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe')
      AND (
        "CommandLine" LIKE '%IO.Compression%' OR "CommandLine" LIKE '%GZipStream%'
        OR "CommandLine" LIKE '%DeflateStream%' OR "CommandLine" LIKE '%ZipArchive%'
        OR "CommandLine" LIKE '%ZipFile%' OR "CommandLine" LIKE '%ICSharpCode%'
        OR "CommandLine" LIKE '%DotNetZip%' OR "CommandLine" LIKE '%System.IO.Compression%'
      )
    )
    OR (
      "EventCode" = '1'
      AND (LOWER("Image") LIKE '%\\python.exe' OR LOWER("Image") LIKE '%\\python3.%')
      AND (
        "CommandLine" LIKE '%import zlib%' OR "CommandLine" LIKE '%import bz2%'
        OR "CommandLine" LIKE '%import gzip%' OR "CommandLine" LIKE '%import zipfile%'
        OR "CommandLine" LIKE '%import rarfile%' OR "CommandLine" LIKE '%zlib.compress%'
        OR "CommandLine" LIKE '%bz2.compress%' OR "CommandLine" LIKE '%import lzma%'
        OR "CommandLine" LIKE '%import tarfile%'
      )
    )
    OR (
      "EventCode" = '11'
      AND (
        LOWER("TargetFilename") LIKE '%.gz' OR LOWER("TargetFilename") LIKE '%.bz2'
        OR LOWER("TargetFilename") LIKE '%.zlib' OR LOWER("TargetFilename") LIKE '%.lzma'
        OR LOWER("TargetFilename") LIKE '%.xz' OR LOWER("TargetFilename") LIKE '%.lz'
      )
      AND (
        LOWER("TargetFilename") LIKE '%\\temp\\%' OR LOWER("TargetFilename") LIKE '%\\appdata\\%'
        OR LOWER("TargetFilename") LIKE '%\\programdata\\%'
        OR LOWER("TargetFilename") LIKE '%\\users\\public\\%'
      )
      AND (
        LOWER("Image") LIKE '%\\python.exe' OR LOWER("Image") LIKE '%\\python3.exe'
        OR LOWER("Image") LIKE '%\\ruby.exe' OR LOWER("Image") LIKE '%\\perl.exe'
        OR LOWER("Image") LIKE '%\\node.exe' OR LOWER("Image") LIKE '%\\java.exe'
        OR LOWER("Image") LIKE '%\\wscript.exe' OR LOWER("Image") LIKE '%\\cscript.exe'
        OR LOWER("Image") LIKE '%\\mshta.exe'
      )
    )
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon ingested as Windows Event Log QRadar Windows Custom Properties DSM for Sysmon fields

Required Tables

events

False Positives

Software package managers and application installers (Chocolatey, NSIS-based installers) that extract bundled zlib.dll or bzip2.dll to TEMP directories as part of legitimate installation workflows
Automated Python data engineering scripts that import compression modules to process pipeline outputs and write intermediate compressed files to staging or temp directories
Enterprise monitoring agent installers that use PowerShell with System.IO.Compression to stage deployment packages before executing setup routines on managed endpoints

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where !isNull(%"EventID")
| where %"EventID" in ("1", "7", "11")
| where
  (
    %"EventID" = "7"
    AND matches(%"ImageLoaded", "(?i).*(zlib\.dll|zlib1\.dll|zlibwapi\.dll|bzip2\.dll|libbzip2\.dll|libzip\.dll|minizip\.dll)$")
    AND !matches(%"ImageLoaded", "(?i).*(system32|syswow64|7-zip|winrar).*")
    AND !matches(%"Image", "(?i).*(7z\.exe|7zg\.exe|winrar\.exe|msiexec\.exe)$")
  ) OR (
    %"EventID" = "1"
    AND matches(%"Image", "(?i).*(powershell\.exe|pwsh\.exe)$")
    AND matches(%"CommandLine", "(?i).*(IO\.Compression|GZipStream|DeflateStream|ZipArchive|ZipFile|ICSharpCode|DotNetZip|System\.IO\.Compression).*")
  ) OR (
    %"EventID" = "1"
    AND matches(%"Image", "(?i).*python[0-9]*\.exe$")
    AND matches(%"CommandLine", "(?i).*(import zlib|import bz2|import gzip|import zipfile|import rarfile|zlib\.compress|bz2\.compress|import lzma|import tarfile).*")
  ) OR (
    %"EventID" = "11"
    AND matches(%"TargetFilename", "(?i).*\.(gz|bz2|zlib|lzma|xz|lz)$")
    AND matches(%"TargetFilename", "(?i).*(temp|appdata|programdata|users.public).*")
    AND matches(%"Image", "(?i).*(python[0-9]*\.exe|ruby\.exe|perl\.exe|node\.exe|java\.exe|javaw\.exe|wscript\.exe|cscript\.exe|mshta\.exe)$")
  )
| eval DetectionSource = if(%"EventID" = "7", "CompressionDllLoad",
    if(%"EventID" = "1" AND matches(%"Image", "(?i).*(powershell|pwsh).*"), "PowerShellLibraryCompression",
    if(%"EventID" = "1" AND matches(%"Image", "(?i).*python.*"), "PythonLibraryCompression",
    if(%"EventID" = "11", "StagedCompressedFileCreation", "Unknown"))))
| fields _time, Computer, %"User", DetectionSource, %"Image", %"CommandLine", %"ImageLoaded", %"TargetFilename", %"ParentImage"
| sort by _time desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Winlogbeat to Sumo Logic HTTP Source Sysmon for Windows (EventIDs 1, 7, 11)

Required Tables

Sysmon Windows Event Logs via _sourceCategory matching *windows*, *sysmon*, or *winlogbeat*

False Positives

CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners) executing Python or Node.js build scripts that compress artifacts to temp directories as part of packaging workflows
PowerShell-based endpoint management tooling (SCCM, Ansible over WinRM) using System.IO.Compression to package diagnostic bundles or software deployment archives
Application frameworks with embedded runtimes (Electron, embedded JRE, PyInstaller-packaged apps) that load compression DLLs from application-local directories during startup

Google Chronicle / SecOps

yaral

rule t1560_002_archive_via_library {
  meta:
    author = "Detection Engineering"
    description = "Detects T1560.002 - Archive via Library: compression DLL loading by non-archiver processes, PowerShell and Python using in-process compression APIs, scripting interpreter-driven compressed file creation in staging paths. Covers TajMahal, LunarWeb, InvisiMole, SeaDuke TTPs."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1560.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1560/002/"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2025-01-01"

  events:
    (
      $e.metadata.event_type = "PROCESS_MODULE_LOAD"
      and re.regex($e.target.file.full_path, `(?i)(zlib\.dll|zlib1\.dll|zlibwapi\.dll|bzip2\.dll|libbzip2\.dll|libzip\.dll|minizip\.dll)$`)
      and not re.regex($e.target.file.full_path, `(?i)(system32|syswow64|7-zip|winrar)`)
      and not re.regex($e.principal.process.file.full_path, `(?i)(7z\.exe|7zg\.exe|winrar\.exe|msiexec\.exe)$`)
    ) or (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
      and re.regex($e.target.process.command_line, `(?i)(IO\.Compression|GZipStream|DeflateStream|ZipArchive|ZipFile|ICSharpCode|DotNetZip)`)
    ) or (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i)python[0-9]*\.exe$`)
      and re.regex($e.target.process.command_line, `(?i)(import (zlib|bz2|gzip|zipfile|rarfile|lzma|tarfile)|zlib\.compress|bz2\.compress)`)
    ) or (
      $e.metadata.event_type = "FILE_CREATION"
      and re.regex($e.target.file.full_path, `(?i)\.(gz|bz2|zlib|lzma|xz|lz)$`)
      and re.regex($e.target.file.full_path, `(?i)(temp|appdata|programdata|users.public)`)
      and re.regex($e.principal.process.file.full_path, `(?i)(python[0-9]*|ruby|perl|node|java|javaw|wscript|cscript|mshta)\.exe$`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM-normalized Windows endpoint telemetry Chronicle Forwarder with Sysmon or CrowdStrike/Carbon Black feed

Required Tables

UDM Events with event_type in (PROCESS_MODULE_LOAD, PROCESS_LAUNCH, FILE_CREATION)

False Positives

Python ETL or data pipeline workflows (Apache Airflow tasks, custom ingestion scripts) that import compression modules to handle compressed data files, with imports visible in process command-line arguments captured by Chronicle
PowerShell-based deployment automation using ZipFile or GZipStream to package application components or config bundles before distributing to endpoints via SCCM or Group Policy
PyInstaller or cx_Freeze packaged Python applications that load compression DLLs from non-standard application directories and trigger PROCESS_MODULE_LOAD events during runtime unpacking

CrowdStrike LogScale (CQL)

cql

#event_simpleName in (ProcessRollup2, ImageLoad, FileWritten, PeFileWritten)
| case {
    #event_simpleName = ImageLoad
    AND ImageFileName = /(?i)(zlib\.dll|zlib1\.dll|zlibwapi\.dll|bzip2\.dll|libbzip2\.dll|libzip\.dll|minizip\.dll)$/
    AND NOT ImageFileName = /(?i)(system32|syswow64|7-zip|winrar)/
    AND NOT FileName = /(?i)(7z\.exe|7zg\.exe|winrar\.exe|msiexec\.exe)$/
    | DetectionSource := "CompressionDllLoad" ;

    #event_simpleName = ProcessRollup2
    AND FileName = /(?i)(powershell\.exe|pwsh\.exe)$/
    AND CommandLine = /(?i)(IO\.Compression|GZipStream|DeflateStream|ZipArchive|ZipFile|ICSharpCode|DotNetZip)/
    | DetectionSource := "PowerShellLibraryCompression" ;

    #event_simpleName = ProcessRollup2
    AND FileName = /(?i)python[0-9]*\.exe$/
    AND CommandLine = /(?i)(import zlib|import bz2|import gzip|import zipfile|import rarfile|zlib\.compress|bz2\.compress|import lzma|import tarfile)/
    | DetectionSource := "PythonLibraryCompression" ;

    #event_simpleName in (FileWritten, PeFileWritten)
    AND TargetFileName = /(?i)\.(gz|bz2|zlib|lzma|xz|lz)$/
    AND TargetFileName = /(?i)(temp|appdata|programdata|users.public)/i
    AND FileName = /(?i)(python[0-9]*\.exe|ruby\.exe|perl\.exe|node\.exe|java\.exe|javaw\.exe|wscript\.exe|cscript\.exe|mshta\.exe)$/
    | DetectionSource := "StagedCompressedFileCreation" ;

    * | drop()
  }
| table([timestamp, ComputerName, UserName, DetectionSource, FileName, CommandLine, ImageFileName, TargetFileName, ParentBaseFileName])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) CrowdStrike LogScale (Humio) Falcon Insight XDR telemetry

Required Tables

ProcessRollup2 ImageLoad FileWritten PeFileWritten

False Positives

Legitimate Python automation agents or data pipeline workers managed by IT/DevOps that import compression modules with imports visible in Falcon-captured CommandLine telemetry during script execution
Security forensics or IR tooling written in PowerShell that uses System.IO.Compression to compress memory dumps, log collections, or triage packages for analyst review and transfer
Packaged Electron-based or Python-based desktop applications that ship bundled zlib.dll or libbzip2.dll in application directories outside Program Files, triggering ImageLoad events during normal startup

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1560.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Archive via Library

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections