1. Home
  2. Detection Strategies
  3. Detection Strategy for Compressed Payload Creation and Execution

Detection Strategy for Compressed Payload Creation and Execution

Technique Detected:  Compression | T1027.015

ID: DET0281
Domains: Enterprise
Analytics: AN0782, AN0783, AN0784
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0782

Monitors for compression tool usage (e.g., 7zip, WinRAR, MakeCab) that follows or precedes file modification, suspicious file types (e.g., .exe, .dll) being compressed, or dropped from self-extracting archives followed by immediate execution.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
CompressedFileType Zip, .rar, .cab, .gz – tune based on expected legitimate use of compression in environment
SFXExecutionDelay Expected time between archive unpacking and first execution – short delays are suspicious
UserContext Restrict detection to non-admin or interactive users if excessive FPs from sys admin activity

AN0783

Detects sequential command-line compression utilities (e.g., gzip, tar, zip, 7z) followed by execution of unpacked files, especially in temp directories or under non-standard locations like /dev/shm or /tmp with ELF binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Creation (DC0039) auditd:SYSCALL write
File Access (DC0055) auditd:SYSCALL openat
File Modification (DC0061) auditd:SYSCALL chmod
Mutable Elements
Field Description
PathRegex Flag compressed archives extracted to /tmp, /dev/shm, or user’s home dir
CompressionToolPatterns gzip, tar, bzip2, xz, 7z – tune to suppress admin packaging workflows
ExecutionAfterUnpackWindow How soon a new file is executed after it’s unpacked

AN0784

Identifies archive utilities (e.g., ditto, unzip, xar, pkgutil) used to extract payloads to non-standard paths, then correlates with execution or file permission changes (e.g., chmod +x) and process spawns from decompressed location.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Process launch
File Metadata (DC0059) macos:unifiedlog filesystem events
File Creation (DC0039) fs:fsusage file open/write
Mutable Elements
Field Description
DecompressionPathMatch Target unusual extraction paths (~/Library/, /tmp/, /private/tmp/)
ToolBinaryNames List of decompression utilities used in the environment
FollowOnExecutionDelta Time between decompression and first binary execution