This note documents detection patterns related to Suspicious Archiving within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects archive utilities and command-line compression activity. |
| Sysmon | 1 | Process creation | Critical | Best execution source for archiving commands and parent lineage. |
| Sysmon | 11 | File create | Critical | Archive output creation (.zip, .7z, .rar, .cab). |
| Sysmon | 15 | File stream create | High | Alternate data streams may appear during staged archive operations. |
| Sysmon | 3 | Network connection | High | Useful if archive creation followed by outbound transfer. |
| PowerShell | 4104 | Script block logging | Critical | Captures Compress-Archive and custom compression scripts. |
| Security | 4663 | Object access | High | Sensitive file reads preceding archive creation if auditing enabled. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Archive in Temp/AppData | .zip, .7z, .rar in user-writable path | Critical | Common staging location. |
| Sensitive folders compressed | Documents, Desktop, DB exports, logs | Critical | Possible exfil preparation. |
| Large archive before outbound traffic | File then network beacon | Critical | Strong exfil chain. |
| Rare archive utility | 7z.exe / rar.exe on endpoint without baseline | High | Suspicious tooling. |
| Password-protected archive | -p argument | Critical | Very strong exfil indicator. |
| Split archive | Multi-part files | High | Often used to bypass controls. |
| Compression from service context | SYSTEM creates archive | Critical | Very suspicious. |
Common Tools
| Tool | Usage |
|---|---|
| 7z.exe | Compress files, encrypt archives |
| rar.exe | Archive creation |
| tar.exe | Native compression |
| makecab.exe | CAB archive creation |
| powershell.exe | Compress-Archive |
| WinRAR | GUI or CLI archiving |
| custom scripts | Bulk file collection |
Relevant Artifacts
- Sysmon Event IDs 1, 11, 15
- Security Event ID 4688
- PowerShell 4104
- Security 4663
- Prefetch:
7Z.EXE,RAR.EXE,POWERSHELL.EXE,TAR.EXE - Amcache for archive tool execution
- ShimCache historical traces
- MFT / USN Journal for archive timeline
- File metadata for archive contents
- EDR process tree before transfer
MITRE ATT&CK References
- T1560 Archive Collected Data
- T1560.001 Archive via Utility
- T1020 Automated Exfiltration
Decision Tree
-
Which process created archive?
- Parent process
- User context
-
What files were collected?
- Sensitive paths
- Targeted extensions
-
Archive protected?
- Password argument
- Split volumes
-
Was archive transferred?
- Network connection
- Cloud upload
- External media
-
Expand:
- Adjacent credential access
- Discovery before collection
- Cleanup after exfil
-
Scope:
- Single archive
- Repeated staging
- Enterprise-wide pattern
Example Detection Templates
KQL
Sysmon
| where EventID == 1
| where CommandLine has_any ("7z","rar","Compress-Archive","tar ","makecab")
| project TimeGenerated, Computer, User, CommandLine
Sysmon
| where EventID == 11
| where TargetFilename endswith ".zip" or TargetFilename endswith ".7z" or TargetFilename endswith ".rar"
| project TimeGenerated, Computer, TargetFilename
EQL
process where process.command_line like "*7z*" or process.command_line like "*Compress-Archive*"
sequence by host.name with maxspan=10m
[ process where process.name in ("7z.exe","rar.exe","powershell.exe") ]
[ file where file.extension in ("zip","7z","rar") ]
Sigma
title: Suspicious Archive Creation
id: 6c2e91af-archive-detection
status: experimental
description: Detects archive creation commonly linked to staging or exfiltration
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
CommandLine|contains:
- '7z'
- 'rar'
- 'Compress-Archive'
- 'makecab'
condition: selection
fields:
- CommandLine
- ParentImage
falsepositives:
- Legitimate backup activity
level: high
tags:
- attack.collection
- attack.t1560
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Archive utility monitoring | Alert on CLI compression | Critical | Core staging visibility |
| Sensitive folder auditing | Track bulk reads | High | Detect collection before archive |
| Outbound correlation | Tie archive to transfer | Critical | Confirm exfil path |
| PowerShell logging | Enable 4104 | High | Detect scripted compression |
| Restrict archive tools | WDAC / AppLocker | High | Limit attacker tooling |