Before exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.
In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of “
\* a \*”. This is helpful, as adversaries may change program names.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Archive Collected Data||Archive via Utility||Exfiltration||Moderate|
|D3-PSA||Process Spawn Analysis|
Data Model References
This analytic looks for the command line argument
a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.
processes = search Process:Create rar_argument = filter processes where (command_line == "* a *") output rar_argument
Dnif, Sysmon native
DNIF version of the above pseudocode.
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 command="* a *"
Test Case 1
Configurations: Windows 7
Download 7zip or other archiving software you plan to monitor. Create an innocuous text file for testing, or substitute an existing file.
7z.exe a test.zip test.txt