Detection of Encrypted Archive Creation with WinRAR or 7-Zip

Attackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.
2. Credential Access: The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.
3. Discovery: The attacker performs reconnaissance to identify sensitive data and systems of interest.
4. Data Collection: The attacker gathers sensitive data from various locations on the compromised system or network.
5. Archive Creation: The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like -hp, -p, /hp, or /p with rar.exe or WinRAR.exe or -p* with 7z.exe or 7za.exe.
6. Data Staging: The encrypted archive is moved to a staging location, such as a temporary directory or removable media.
7. Exfiltration: The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.
8. Covering Tracks: The attacker deletes the archive from the staging location to remove evidence of the activity.

Impact

A successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker’s objectives and the nature of the compromised data.

Recommendation

• Deploy the Sigma rule “Detect Encrypting Files with WinRar or 7z - CommandLine” to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
• Enable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).
• Investigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
• Monitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.