https://feed.craftedsignal.io/tags/archive/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 19 Mar 2026 17:31:15 +0000https://feed.craftedsignal.io/briefs/2026-03-motw-bypass/Thu, 19 Mar 2026 17:31:15 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-motw-bypass/A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.A new MOTW bypass technique has emerged that chains a CAB file with two TAR archives nested within a 7-Zip archive. This method effectively strips the Zone.Identifier stream from downloaded files, preventing the display of SmartScreen prompts or security warnings. Many organizations rely on MOTW and SmartScreen as a crucial layer of defense against phishing attacks. This bypass, affecting fully patched environments, allows attackers to execute arbitrary code without the usual security checks, potentially leading to malware infection or data compromise. The technique is not a rehash of older 7-Zip MOTW issues but a novel approach to evade detection based on Zone.Identifier.

Attack Chain

1. Attacker crafts a malicious payload.
2. Attacker packages the payload into a TAR archive.
3. The TAR archive is nested inside another TAR archive.
4. The nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.
5. The 7-Zip archive is packaged into a CAB archive using makecab.exe.
6. The CAB archive is distributed to the victim, potentially via phishing or drive-by download.
7. The victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.
8. The payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.

Impact

Successful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.

Recommendation

• Implement detections for unusual process chains involving makecab.exe, 7z.exe, and tar.exe as these tools are used in the bypass (see Sigma rule “Detect Suspicious Archive Chaining”).
• Monitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule “Detect Archive Extraction from Downloaded CAB”).
• Analyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.
• Block the URL https://youtu.be/pQxiPwGTBL8 to prevent users from accessing potentially malicious content related to this bypass.

]]>highadvisorymotwbypassphishingdefense-evasionarchive7-zipcabtarhttps://feed.craftedsignal.io/briefs/2024-01-script-exec-archive/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-script-exec-archive/This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.Attackers commonly use archive files (ZIP, RAR, 7z) to deliver malicious scripts, such as JScript and VBScript, to Windows systems. This technique allows them to bypass some initial security checks and deliver payloads that can execute arbitrary code. The “Windows Script Execution from Archive” detection identifies instances where Windows Script Host (wscript.exe) is launched from temporary directories containing extracted archive contents. This activity can indicate a user has opened a malicious archive, leading to potential malware execution. This detection focuses on the parent-child process relationship, where explorer.exe, winrar.exe, or 7zFM.exe spawns wscript.exe to execute scripts from the temp directory.

Attack Chain

1. A user receives a malicious archive file (e.g., ZIP, RAR, 7z) via email or downloads it from a website.
2. The user opens the archive file using a file archiver tool like Explorer, WinRAR, or 7-Zip.
3. The archiver extracts the contents, including a malicious JScript (.js) or VBScript (.vbs) file, to a temporary directory, such as \Users\*\AppData\Local\Temp\7z*\.
4. The user (or the archiver tool) inadvertently executes the extracted script using Windows Script Host (wscript.exe).
5. Wscript.exe executes the malicious script, which may perform a variety of actions, such as downloading and executing additional payloads.
6. The script establishes persistence via registry modification, adding a run key to execute upon system startup.
7. The script connects to a command-and-control server to receive further instructions.
8. The attacker gains control of the compromised system and begins lateral movement.

Impact

A successful attack of this nature can lead to arbitrary code execution on the victim’s machine, potentially resulting in data theft, malware installation, or complete system compromise. While the number of affected organizations is not specified, the technique is broadly applicable to any Windows environment where users handle archive files, potentially affecting numerous individuals and organizations across various sectors.

Recommendation

• Enable process creation logging with command line arguments to capture the execution of wscript.exe and its arguments.
• Deploy the Sigma rule “Detect Script Execution from Archive” to your SIEM to identify suspicious script execution patterns.
• Monitor process activity for wscript.exe and other scripting engines executing from temporary directories.
• Configure endpoint security solutions to block execution of scripts from common temporary directories.

]]>mediumadvisoryexecutionwindowsscriptingarchivehttps://feed.craftedsignal.io/briefs/2024-01-github-repo-archive-status-changed/Thu, 04 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-github-repo-archive-status-changed/Detection of GitHub repository archiving or unarchiving events, which could indicate malicious activity such as persistence, impact, or defense impairment.This threat brief focuses on the detection of unauthorized changes to GitHub repository archive status. Attackers may archive or unarchive repositories as a means of persistence, to impact the availability of resources, or to impair defenses by hiding malicious code. The activity is logged within GitHub’s audit logs and can be monitored to identify potentially malicious actions. Monitoring these events can help organizations identify and respond to unauthorized modifications of their GitHub repositories. This is especially relevant for organizations relying heavily on GitHub for code management and collaboration.

Attack Chain

1. An attacker gains unauthorized access to a GitHub account with repository administration privileges.
2. The attacker authenticates to the GitHub platform using the compromised credentials or a stolen session token.
3. The attacker navigates to the settings page of a target repository.
4. The attacker modifies the repository’s archive status, either archiving or unarchiving it depending on their objective.
5. GitHub logs the ‘repo.archived’ or ‘repo.unarchived’ action in the organization’s audit logs.
6. (If archiving) Legitimate users may lose access to the repository and its code, causing disruption.
7. (If unarchiving) The attacker might reintroduce vulnerable code or malicious content into an active repository.
8. The attacker may then attempt to exploit the unarchived repository for further malicious activities.

Impact

The impact of unauthorized repository archiving or unarchiving can range from temporary disruption of services to the reintroduction of vulnerable code. A successful attack could lead to data breaches, code compromise, or supply chain attacks. The number of affected repositories depends on the scope of the attacker’s access and objectives.

Recommendation

• Deploy the Sigma rule “GitHub Repository Archive Status Changed” to your SIEM and tune for your environment. This rule detects the repo.archived and repo.unarchived actions in GitHub audit logs (logsource: github, service: audit).
• Review GitHub audit logs regularly for unexpected repository archiving or unarchiving events.
• Investigate any detected events to determine if the actions were authorized.

]]>lowadvisorygithubrepositoryarchiveunarchivepersistenceimpactdefense-impairmenthttps://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.Attackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.
2. Credential Access: The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.
3. Discovery: The attacker performs reconnaissance to identify sensitive data and systems of interest.
4. Data Collection: The attacker gathers sensitive data from various locations on the compromised system or network.
5. Archive Creation: The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like -hp, -p, /hp, or /p with rar.exe or WinRAR.exe or -p* with 7z.exe or 7za.exe.
6. Data Staging: The encrypted archive is moved to a staging location, such as a temporary directory or removable media.
7. Exfiltration: The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.
8. Covering Tracks: The attacker deletes the archive from the staging location to remove evidence of the activity.

Impact

A successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker’s objectives and the nature of the compromised data.

Recommendation

• Deploy the Sigma rule “Detect Encrypting Files with WinRar or 7z - CommandLine” to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
• Enable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).
• Investigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
• Monitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.

]]>mediumadvisorycollectionarchiveexfiltrationwindows