File Compressed or Archived into Common Format

Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.

Rule type: eql

Rule indices:

logs-endpoint.events.file-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 1000

References:

https://en.wikipedia.org/wiki/List_of_file_signatures

Tags:

Data Source: Elastic Defend
Domain: Endpoint
OS: macOS
OS: Windows
Tactic: Collection
Rule Type: BBR

Version: 5

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and
 file.Ext.header_bytes : (
                          /* compression formats */
                          "1F9D*",             /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */
                          "1FA0*",             /* tar zip, tar.z (LZH algorithm) */
                          "425A68*",           /* Bzip2 */
                          "524E4301*",         /* Rob Northen Compression */
                          "524E4302*",         /* Rob Northen Compression */
                          "4C5A4950*",         /* LZIP */
                          "504B0*",            /* ZIP */
                          "526172211A07*",     /* RAR compressed */
                          "44434D0150413330*", /* Windows Update Binary Delta Compression file */
                          "50413330*",         /* Windows Update Binary Delta Compression file */
                          "377ABCAF271C*",     /* 7-Zip */
                          "1F8B*",             /* GZIP */
                          "FD377A585A00*",     /* XZ, tar.xz */
                          "7801*",	           /* zlib: No Compression (no preset dictionary) */
                          "785E*",	           /* zlib: Best speed (no preset dictionary) */
                          "789C*",	           /* zlib: Default Compression (no preset dictionary) */
                          "78DA*", 	           /* zlib: Best Compression (no preset dictionary) */
                          "7820*",	           /* zlib: No Compression (with preset dictionary) */
                          "787D*",	           /* zlib: Best speed (with preset dictionary) */
                          "78BB*",	           /* zlib: Default Compression (with preset dictionary) */
                          "78F9*",	           /* zlib: Best Compression (with preset dictionary) */
                          "62767832*",         /* LZFSE */
                          "28B52FFD*",         /* Zstandard, zst */
                          "5253564B44415441*", /* QuickZip rs compressed archive */
                          "2A2A4143452A2A*",   /* ACE */

                          /* archive formats */
                          "2D686C302D*",       /* lzh */
                          "2D686C352D*",       /* lzh */
                          "303730373037*",     /* cpio */
                          "78617221*",         /* xar */
                          "4F4152*",           /* oar */
                          "49536328*"          /* cab archive */
 ) and
 not (
   (
     process.name : "firefox.exe" and
     process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true
   ) or
   (
     process.name : "wazuh-agent.exe" and
     process.code_signature.subject_name : "Wazuh, Inc" and process.code_signature.trusted == true and
     file.name : ("ossec-*.log.gz", "tmp-entry.gz", "tmp-entry", "last-entry.gz")
   ) or
   (
     process.name : ("excel.exe", "winword.exe", "powerpnt.exe") and
     process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true
   ) or
   (
     process.name : "OneDrive.exe" and
     process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true and
     (
      file.extension : ("xlsx", "docx", "pptx", "xlsm") or
      file.path : "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*"
     )
   ) or
   (
     process.name : "Dropbox.exe" and
     process.code_signature.subject_name : "Dropbox, Inc" and process.code_signature.trusted == true and
     file.name : "store.bin"
   ) or
   (
     process.name : "DellSupportAssistRemedationService.exe" and
     process.code_signature.subject_name : "Dell Inc" and process.code_signature.trusted == true and
     file.extension : "manifest"
   ) or
   (
     process.name : "w3wp.exe" and
     process.code_signature.subject_name : "Microsoft Windows" and process.code_signature.trusted == true and
     file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*"
   )
 )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Data Staged
- ID: T1074
- Reference URL: https://attack.mitre.org/techniques/T1074/
Sub-technique:
- Name: Local Data Staging
- ID: T1074.001
- Reference URL: https://attack.mitre.org/techniques/T1074/001/
Technique:
- Name: Archive Collected Data
- ID: T1560
- Reference URL: https://attack.mitre.org/techniques/T1560/
Sub-technique:
- Name: Archive via Utility
- ID: T1560.001
- Reference URL: https://attack.mitre.org/techniques/T1560/001/
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Data Encoding
- ID: T1132
- Reference URL: https://attack.mitre.org/techniques/T1132/
Sub-technique:
- Name: Standard Encoding
- ID: T1132.001
- Reference URL: https://attack.mitre.org/techniques/T1132/001/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Obfuscated Files or Information
- ID: T1027
- Reference URL: https://attack.mitre.org/techniques/T1027/

« External User Added to Google Workspace Group File Creation Time Changed »