{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/archive/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["motw","bypass","phishing","defense-evasion","archive","7-zip","cab","tar"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new MOTW bypass technique has emerged that chains a CAB file with two TAR archives nested within a 7-Zip archive. This method effectively strips the Zone.Identifier stream from downloaded files, preventing the display of SmartScreen prompts or security warnings. Many organizations rely on MOTW and SmartScreen as a crucial layer of defense against phishing attacks. This bypass, affecting fully patched environments, allows attackers to execute arbitrary code without the usual security checks, potentially leading to malware infection or data compromise. The technique is not a rehash of older 7-Zip MOTW issues but a novel approach to evade detection based on Zone.Identifier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious payload.\u003c/li\u003e\n\u003cli\u003eAttacker packages the payload into a TAR archive.\u003c/li\u003e\n\u003cli\u003eThe TAR archive is nested inside another TAR archive.\u003c/li\u003e\n\u003cli\u003eThe nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.\u003c/li\u003e\n\u003cli\u003eThe 7-Zip archive is packaged into a CAB archive using makecab.exe.\u003c/li\u003e\n\u003cli\u003eThe CAB archive is distributed to the victim, potentially via phishing or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement detections for unusual process chains involving \u003ccode\u003emakecab.exe\u003c/code\u003e, \u003ccode\u003e7z.exe\u003c/code\u003e, and \u003ccode\u003etar.exe\u003c/code\u003e as these tools are used in the bypass (see Sigma rule \u0026ldquo;Detect Suspicious Archive Chaining\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule \u0026ldquo;Detect Archive Extraction from Downloaded CAB\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eAnalyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.\u003c/li\u003e\n\u003cli\u003eBlock the URL \u003ccode\u003ehttps://youtu.be/pQxiPwGTBL8\u003c/code\u003e to prevent users from accessing potentially malicious content related to this bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T17:31:15Z","date_published":"2026-03-19T17:31:15Z","id":"/briefs/2026-03-motw-bypass/","summary":"A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.","title":"MOTW Bypass via CAB, TAR, and 7-Zip Chaining","url":"https://feed.craftedsignal.io/briefs/2026-03-motw-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["execution","windows","scripting","archive"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers commonly use archive files (ZIP, RAR, 7z) to deliver malicious scripts, such as JScript and VBScript, to Windows systems. This technique allows them to bypass some initial security checks and deliver payloads that can execute arbitrary code. The \u0026ldquo;Windows Script Execution from Archive\u0026rdquo; detection identifies instances where Windows Script Host (wscript.exe) is launched from temporary directories containing extracted archive contents. This activity can indicate a user has opened a malicious archive, leading to potential malware execution. This detection focuses on the parent-child process relationship, where explorer.exe, winrar.exe, or 7zFM.exe spawns wscript.exe to execute scripts from the temp directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious archive file (e.g., ZIP, RAR, 7z) via email or downloads it from a website.\u003c/li\u003e\n\u003cli\u003eThe user opens the archive file using a file archiver tool like Explorer, WinRAR, or 7-Zip.\u003c/li\u003e\n\u003cli\u003eThe archiver extracts the contents, including a malicious JScript (.js) or VBScript (.vbs) file, to a temporary directory, such as \u003ccode\u003e\\Users\\*\\AppData\\Local\\Temp\\7z*\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user (or the archiver tool) inadvertently executes the extracted script using Windows Script Host (wscript.exe).\u003c/li\u003e\n\u003cli\u003eWscript.exe executes the malicious script, which may perform a variety of actions, such as downloading and executing additional payloads.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence via registry modification, adding a run key to execute upon system startup.\u003c/li\u003e\n\u003cli\u003eThe script connects to a command-and-control server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system and begins lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. While the number of affected organizations is not specified, the technique is broadly applicable to any Windows environment where users handle archive files, potentially affecting numerous individuals and organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the execution of wscript.exe and its arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Script Execution from Archive\u0026rdquo; to your SIEM to identify suspicious script execution patterns.\u003c/li\u003e\n\u003cli\u003eMonitor process activity for wscript.exe and other scripting engines executing from temporary directories.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint security solutions to block execution of scripts from common temporary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-script-exec-archive/","summary":"This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.","title":"Windows Script Execution from Archive File","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-archive/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub"],"_cs_severities":["low"],"_cs_tags":["github","repository","archive","unarchive","persistence","impact","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized changes to GitHub repository archive status. Attackers may archive or unarchive repositories as a means of persistence, to impact the availability of resources, or to impair defenses by hiding malicious code. The activity is logged within GitHub\u0026rsquo;s audit logs and can be monitored to identify potentially malicious actions. Monitoring these events can help organizations identify and respond to unauthorized modifications of their GitHub repositories. This is especially relevant for organizations relying heavily on GitHub for code management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with repository administration privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub platform using the compromised credentials or a stolen session token.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the settings page of a target repository.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the repository\u0026rsquo;s archive status, either archiving or unarchiving it depending on their objective.\u003c/li\u003e\n\u003cli\u003eGitHub logs the \u0026lsquo;repo.archived\u0026rsquo; or \u0026lsquo;repo.unarchived\u0026rsquo; action in the organization\u0026rsquo;s audit logs.\u003c/li\u003e\n\u003cli\u003e(If archiving) Legitimate users may lose access to the repository and its code, causing disruption.\u003c/li\u003e\n\u003cli\u003e(If unarchiving) The attacker might reintroduce vulnerable code or malicious content into an active repository.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to exploit the unarchived repository for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of unauthorized repository archiving or unarchiving can range from temporary disruption of services to the reintroduction of vulnerable code. A successful attack could lead to data breaches, code compromise, or supply chain attacks. The number of affected repositories depends on the scope of the attacker\u0026rsquo;s access and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GitHub Repository Archive Status Changed\u0026rdquo; to your SIEM and tune for your environment. This rule detects the \u003ccode\u003erepo.archived\u003c/code\u003e and \u003ccode\u003erepo.unarchived\u003c/code\u003e actions in GitHub audit logs (logsource: github, service: audit).\u003c/li\u003e\n\u003cli\u003eReview GitHub audit logs regularly for unexpected repository archiving or unarchiving events.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected events to determine if the actions were authorized.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T15:00:00Z","date_published":"2024-01-04T15:00:00Z","id":"/briefs/2024-01-github-repo-archive-status-changed/","summary":"Detection of GitHub repository archiving or unarchiving events, which could indicate malicious activity such as persistence, impact, or defense impairment.","title":"GitHub Repository Archive Status Changed","url":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-archive-status-changed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["collection","archive","exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify sensitive data and systems of interest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The attacker gathers sensitive data from various locations on the compromised system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArchive Creation:\u003c/strong\u003e The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like \u003ccode\u003e-hp\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/hp\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e with \u003ccode\u003erar.exe\u003c/code\u003e or \u003ccode\u003eWinRAR.exe\u003c/code\u003e or \u003ccode\u003e-p*\u003c/code\u003e with \u003ccode\u003e7z.exe\u003c/code\u003e or \u003ccode\u003e7za.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Staging:\u003c/strong\u003e The encrypted archive is moved to a staging location, such as a temporary directory or removable media.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker deletes the archive from the staging location to remove evidence of the activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker\u0026rsquo;s objectives and the nature of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Encrypting Files with WinRar or 7z - CommandLine\u0026rdquo; to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-winrar-7zip-encryption/","summary":"Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.","title":"Detection of Encrypted Archive Creation with WinRAR or 7-Zip","url":"https://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/"}],"language":"en","title":"CraftedSignal Threat Feed — Archive","version":"https://jsonfeed.org/version/1.1"}