Before exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.

ATT&CK Detection

Technique Tactic Level of Coverage
Data Compressed Exfiltration Moderate

Pseudocode

This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.

processes = search Process:Create
rar_argument = filter processes where (command_line == "* a *")
output rar_argument

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Description: Download 7zip or other archiving software you plan to monitor. Create an innocuous text file for testing, or substitute an existing file.
  • Commands:
    7z.exe a test.zip test.txt
    

Additional Notes:

In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of “\* a \*”. This is helpful, as adversaries may change program names.

Data Model References

Object Action Field
process create command_line