Encrypting Files with WinRar or 7z

  1[metadata]
  2creation_date = "2020/12/04"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/01/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of WinRAR or 7-Zip to create encrypted archives. Adversaries often compress and encrypt data
 11in preparation for exfiltration.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Encrypting Files with WinRar or 7z"
 25note = """## Triage and analysis
 26
 27### Investigating Encrypting Files with WinRar or 7z
 28
 29Attackers may compress and/or encrypt data collected before exfiltration. Compressing data can help stage and obfuscate content and may reduce the amount of data sent over the network. Encryption can be used to hide the contents of the archive and make the activity less apparent during review.
 30
 31These steps are often performed in preparation for exfiltration, meaning the intrusion may be in its later stages.
 32
 33#### Possible investigation steps
 34
 35- Review the process ancestry (parent process tree) for the archiving command. Identify what launched WinRAR/7-Zip and whether the parent is expected in your environment.
 36- Validate the executable: check file path, signature, hash prevalence, and whether the binary is the expected vendor build.
 37- Identify the archive output location and name. Look for staging locations (e.g., user profile temp directories, public folders, removable media paths) and unusual naming patterns.
 38- Retrieve the created archive if policy allows. Determine whether the contents are sensitive or business-critical.
 39- Check whether the encryption password is present in the command line. If present, treat as high confidence data staging.
 40- If the password is not available and the archive format is `.zip` (or WinRAR is not using the `-hp` option), enumerate filenames within the archive to understand what was staged.
 41- Review other alerts and related activity for the same host/user over the last 48 hours (credential access, discovery, lateral movement, and outbound transfers).
 42- Investigate whether the archive was transferred off-host (e.g., browser uploads, cloud sync clients, RMM tools, SMB to unusual destinations, or other outbound network activity).
 43
 44### False positive analysis
 45
 46- Backup, packaging, and software distribution workflows may legitimately create password-protected archives.
 47- IT administrators and automation may use WinRAR/7-Zip for log collection, incident response packaging, or data transfer.
 48- Validate the parent process and context using `process.parent.executable` and `process.parent.command_line`, and confirm whether the archive destination and file set match an expected workflow.
 49
 50### Response and remediation
 51
 52- Initiate the incident response process based on the outcome of the triage.
 53- Prioritize cases that involve personally identifiable information (PII) or other classified data.
 54- Isolate the involved hosts to prevent further post-compromise behavior.
 55- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
 56- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
 57- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 58- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 59"""
 60references = [
 61    "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
 62    "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
 63]
 64risk_score = 47
 65rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Collection",
 72    "Resources: Investigation Guide",
 73    "Data Source: Elastic Endgame",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Sysmon",
 76    "Data Source: Microsoft Defender for Endpoint",
 77    "Data Source: SentinelOne",
 78]
 79timestamp_override = "event.ingested"
 80type = "eql"
 81
 82query = '''
 83process where host.os.type == "windows" and event.type == "start" and
 84(
 85  (
 86    (
 87      process.name : ("rar.exe", "WinRAR.exe") or ?process.code_signature.subject_name == "win.rar GmbH" or
 88      ?process.pe.original_file_name == "WinRAR.exe"
 89    ) and
 90    process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*")
 91  ) or
 92  (
 93    (process.name : ("7z.exe", "7za.exe") or ?process.pe.original_file_name in ("7z.exe", "7za.exe")) and
 94    process.args == "a" and process.args : "-p*"
 95  )
 96) and
 97  not process.parent.executable : (
 98        "C:\\Program Files\\*.exe",
 99        "C:\\Program Files (x86)\\*.exe",
100        "?:\\ManageEngine\\*\\jre\\bin\\java.exe",
101        "?:\\Nox\\bin\\Nox.exe",
102        "\\Device\\HarddiskVolume?\\Program Files\\*.exe",
103        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
104        "\\Device\\HarddiskVolume?\\ManageEngine\\*\\jre\\bin\\java.exe",
105        "\\Device\\HarddiskVolume?\\Nox\\bin\\Nox.exe"
106      )
107'''
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112
113[[rule.threat.technique]]
114id = "T1005"
115name = "Data from Local System"
116reference = "https://attack.mitre.org/techniques/T1005/"
117
118[[rule.threat.technique]]
119id = "T1560"
120name = "Archive Collected Data"
121reference = "https://attack.mitre.org/techniques/T1560/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1560.001"
125name = "Archive via Utility"
126reference = "https://attack.mitre.org/techniques/T1560/001/"
127
128
129[rule.threat.tactic]
130id = "TA0009"
131name = "Collection"
132reference = "https://attack.mitre.org/tactics/TA0009/"