File Compressed or Archived into Common Format

edit

Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.

Rule type: eql

Rule indices:

  • logs-endpoint.events.file-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 1000

References:

Tags:

  • Data Source: Elastic Defend
  • Domain: Endpoint
  • OS: macOS
  • OS: Windows
  • Tactic: Collection
  • Rule Type: BBR

Version: 5

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and
 file.Ext.header_bytes : (
                          /* compression formats */
                          "1F9D*",             /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */
                          "1FA0*",             /* tar zip, tar.z (LZH algorithm) */
                          "425A68*",           /* Bzip2 */
                          "524E4301*",         /* Rob Northen Compression */
                          "524E4302*",         /* Rob Northen Compression */
                          "4C5A4950*",         /* LZIP */
                          "504B0*",            /* ZIP */
                          "526172211A07*",     /* RAR compressed */
                          "44434D0150413330*", /* Windows Update Binary Delta Compression file */
                          "50413330*",         /* Windows Update Binary Delta Compression file */
                          "377ABCAF271C*",     /* 7-Zip */
                          "1F8B*",             /* GZIP */
                          "FD377A585A00*",     /* XZ, tar.xz */
                          "7801*",	           /* zlib: No Compression (no preset dictionary) */
                          "785E*",	           /* zlib: Best speed (no preset dictionary) */
                          "789C*",	           /* zlib: Default Compression (no preset dictionary) */
                          "78DA*", 	           /* zlib: Best Compression (no preset dictionary) */
                          "7820*",	           /* zlib: No Compression (with preset dictionary) */
                          "787D*",	           /* zlib: Best speed (with preset dictionary) */
                          "78BB*",	           /* zlib: Default Compression (with preset dictionary) */
                          "78F9*",	           /* zlib: Best Compression (with preset dictionary) */
                          "62767832*",         /* LZFSE */
                          "28B52FFD*",         /* Zstandard, zst */
                          "5253564B44415441*", /* QuickZip rs compressed archive */
                          "2A2A4143452A2A*",   /* ACE */

                          /* archive formats */
                          "2D686C302D*",       /* lzh */
                          "2D686C352D*",       /* lzh */
                          "303730373037*",     /* cpio */
                          "78617221*",         /* xar */
                          "4F4152*",           /* oar */
                          "49536328*"          /* cab archive */
 ) and
 not (
   (
     process.name : "firefox.exe" and
     process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true
   ) or
   (
     process.name : "wazuh-agent.exe" and
     process.code_signature.subject_name : "Wazuh, Inc" and process.code_signature.trusted == true and
     file.name : ("ossec-*.log.gz", "tmp-entry.gz", "tmp-entry", "last-entry.gz")
   ) or
   (
     process.name : ("excel.exe", "winword.exe", "powerpnt.exe") and
     process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true
   ) or
   (
     process.name : "OneDrive.exe" and
     process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true and
     (
      file.extension : ("xlsx", "docx", "pptx", "xlsm") or
      file.path : "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*"
     )
   ) or
   (
     process.name : "Dropbox.exe" and
     process.code_signature.subject_name : "Dropbox, Inc" and process.code_signature.trusted == true and
     file.name : "store.bin"
   ) or
   (
     process.name : "DellSupportAssistRemedationService.exe" and
     process.code_signature.subject_name : "Dell Inc" and process.code_signature.trusted == true and
     file.extension : "manifest"
   ) or
   (
     process.name : "w3wp.exe" and
     process.code_signature.subject_name : "Microsoft Windows" and process.code_signature.trusted == true and
     file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*"
   )
 )

Framework: MITRE ATT&CKTM