Detect Archive via Library in IBM QRadar
Adversaries may compress or encrypt collected data prior to exfiltration using third-party or built-in programming libraries rather than standalone archival utilities. Libraries such as Python's zlib, bzip2, gzip, zipfile, and rarfile modules; .NET's System.IO.Compression (GZipStream, DeflateStream, ZipArchive); C libraries libzip and zlib; and platform-native libraries enable adversaries to compress and encrypt data programmatically within a running process. Because no separate archival utility process (7-Zip, WinRAR, tar) is spawned, this technique evades detections focused on command-line archivers. Malware families including TajMahal, LunarWeb, SeaDuke, BBSRAT, InvisiMole, and Denis have all used library-based compression to stage and exfiltrate collected data.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1560 Archive Collected Data
- Sub-technique
- T1560.002 Archive via Library
- Canonical reference
- https://attack.mitre.org/techniques/T1560/002/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
username AS UserName,
sourceip AS HostIP,
"Image" AS ProcessPath,
"CommandLine" AS CmdLine,
COALESCE("ImageLoaded", "TargetFilename", '') AS Artifact,
"ParentImage" AS ParentProcess,
CASE
WHEN "EventCode" = '7' THEN 'CompressionDllLoad'
WHEN "EventCode" = '1' AND (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') THEN 'PowerShellLibraryCompression'
WHEN "EventCode" = '1' AND LOWER("Image") LIKE '%python%' THEN 'PythonLibraryCompression'
WHEN "EventCode" = '11' THEN 'StagedCompressedFileCreation'
ELSE 'Unknown'
END AS DetectionSource
FROM events
WHERE
devicetime > (CURRENT_TIMESTAMP - 86400000)
AND LOGSOURCETYPEID(logsourceid) IN (SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%')
AND (
(
"EventCode" = '7'
AND (
LOWER("ImageLoaded") LIKE '%\\zlib.dll' OR LOWER("ImageLoaded") LIKE '%\\zlib1.dll'
OR LOWER("ImageLoaded") LIKE '%\\zlibwapi.dll' OR LOWER("ImageLoaded") LIKE '%\\bzip2.dll'
OR LOWER("ImageLoaded") LIKE '%\\libbzip2.dll' OR LOWER("ImageLoaded") LIKE '%\\libzip.dll'
OR LOWER("ImageLoaded") LIKE '%\\minizip.dll'
)
AND LOWER("ImageLoaded") NOT LIKE '%\\system32\\%'
AND LOWER("ImageLoaded") NOT LIKE '%\\syswow64\\%'
AND LOWER("Image") NOT LIKE '%\\7z.exe'
AND LOWER("Image") NOT LIKE '%\\winrar.exe'
AND LOWER("Image") NOT LIKE '%\\msiexec.exe'
)
OR (
"EventCode" = '1'
AND (LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe')
AND (
"CommandLine" LIKE '%IO.Compression%' OR "CommandLine" LIKE '%GZipStream%'
OR "CommandLine" LIKE '%DeflateStream%' OR "CommandLine" LIKE '%ZipArchive%'
OR "CommandLine" LIKE '%ZipFile%' OR "CommandLine" LIKE '%ICSharpCode%'
OR "CommandLine" LIKE '%DotNetZip%' OR "CommandLine" LIKE '%System.IO.Compression%'
)
)
OR (
"EventCode" = '1'
AND (LOWER("Image") LIKE '%\\python.exe' OR LOWER("Image") LIKE '%\\python3.%')
AND (
"CommandLine" LIKE '%import zlib%' OR "CommandLine" LIKE '%import bz2%'
OR "CommandLine" LIKE '%import gzip%' OR "CommandLine" LIKE '%import zipfile%'
OR "CommandLine" LIKE '%import rarfile%' OR "CommandLine" LIKE '%zlib.compress%'
OR "CommandLine" LIKE '%bz2.compress%' OR "CommandLine" LIKE '%import lzma%'
OR "CommandLine" LIKE '%import tarfile%'
)
)
OR (
"EventCode" = '11'
AND (
LOWER("TargetFilename") LIKE '%.gz' OR LOWER("TargetFilename") LIKE '%.bz2'
OR LOWER("TargetFilename") LIKE '%.zlib' OR LOWER("TargetFilename") LIKE '%.lzma'
OR LOWER("TargetFilename") LIKE '%.xz' OR LOWER("TargetFilename") LIKE '%.lz'
)
AND (
LOWER("TargetFilename") LIKE '%\\temp\\%' OR LOWER("TargetFilename") LIKE '%\\appdata\\%'
OR LOWER("TargetFilename") LIKE '%\\programdata\\%'
OR LOWER("TargetFilename") LIKE '%\\users\\public\\%'
)
AND (
LOWER("Image") LIKE '%\\python.exe' OR LOWER("Image") LIKE '%\\python3.exe'
OR LOWER("Image") LIKE '%\\ruby.exe' OR LOWER("Image") LIKE '%\\perl.exe'
OR LOWER("Image") LIKE '%\\node.exe' OR LOWER("Image") LIKE '%\\java.exe'
OR LOWER("Image") LIKE '%\\wscript.exe' OR LOWER("Image") LIKE '%\\cscript.exe'
OR LOWER("Image") LIKE '%\\mshta.exe'
)
)
)
ORDER BY devicetime DESCIBM QRadar AQL detection for T1560.002 querying Sysmon events via the events table. Correlates EventCode 7 for compression library DLL loading outside trusted system paths, EventCode 1 for PowerShell .NET compression API usage and Python compression module imports, and EventCode 11 for scripting interpreter-driven compressed archive creation in staging directories. Uses QRadar custom Sysmon properties (Image, CommandLine, ImageLoaded, TargetFilename) and LOWER() for case-insensitive matching.
Data Sources
Required Tables
False Positives & Tuning
- Software package managers and application installers (Chocolatey, NSIS-based installers) that extract bundled zlib.dll or bzip2.dll to TEMP directories as part of legitimate installation workflows
- Automated Python data engineering scripts that import compression modules to process pipeline outputs and write intermediate compressed files to staging or temp directories
- Enterprise monitoring agent installers that use PowerShell with System.IO.Compression to stage deployment packages before executing setup routines on managed endpoints
Other platforms for T1560.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Python zlib Compression of Sensitive File Collection
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'import zlib' and 'zlib.compress'. Sysmon Event ID 11: File Create for %TEMP%\stage_df00.zlib. DeviceFileEvents: FileCreated action for the .zlib output file. DeviceFileEvents: FileRead action for the hosts file.
- Test 2PowerShell GZipStream Compression via System.IO.Compression
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'IO.Compression', 'GZipStream', 'MemoryStream', and 'CompressionMode'. Sysmon Event ID 11: File Create for %TEMP%\stage_df00.gz. PowerShell ScriptBlock Log Event ID 4104 with full .NET compression code.
- Test 3Python bzip2 Multi-File Collection and Compression
Expected signal: Syslog/auditd: python3 process execution with command line containing 'import bz2', 'tarfile', and output path in /tmp. File creation event for /tmp/stage_df00.tar.bz2. Auditd syscall events: openat for source files, write for output file. Linux process accounting: python3 with suspicious file access pattern.
- Test 4Python rarfile Library Compression (Third-Party Library)
Expected signal: Sysmon Event ID 1: python.exe with CommandLine containing 'import zipfile', 'ZIP_DEFLATED', and temp path. Sysmon Event ID 11: File Create for %TEMP%\stage_df00_lib.zip. Potential child process for pip install subprocess. DeviceFileEvents shows file read of hosts file and write of .zip artifact.
References (12)
- https://attack.mitre.org/techniques/T1560/002/
- https://github.com/madler/zlib
- https://libzip.org/
- https://pypi.org/project/rarfile/
- https://learn.microsoft.com/en-us/dotnet/api/system.io.compression
- https://securelist.com/kaspersky-lab-discovers-the-tajmahal-apt-framework/90240/
- https://www.welivesecurity.com/2024/05/23/eset-research-unveils-lunar-toolset-diplomatic-espionage/
- https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/
- https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimageloadevents-table
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1560.002 including response playbook, investigation guide, and atomic red team tests.