Attackers may create password-protected archives to exfiltrate sensitive data, masking malicious activity and evading basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts and disrupt adversary operations.
KQL Query
DeviceProcessEvents
| where ProcessCommandLine matches regex @"\s[aukfAUKF]\s.*\s-p" // Basic filter to look for launch string
| extend SplitLaunchString = split(ProcessCommandLine, ' ') // Split on the space
| where array_length(SplitLaunchString) >= 5 and SplitLaunchString[1] in~ ('a','u','k','f') // look for calls to archive or update an archive specifically as the first argument
| mv-expand SplitLaunchString // cross apply the array
| where SplitLaunchString startswith "-p" // -p is the password switch and is immediately followed by a password without a space
| extend ArchivePassword = substring(SplitLaunchString, 2, strlen(SplitLaunchString))
| project-reorder ProcessCommandLine, ArchivePassword // Promote these fields to the left
id: 8ec6abaa-de36-4510-86c2-1a1aeeb004ab
name: Password Protected Archive Creation
description: |
One common technique leveraged by attackers is using archiving applications to package up files for exfiltration. In many cases, these archives are usually protected with a password to make analysis more difficult. This query identifies applications which leverage a command line pattern which matches the 7zip and WinRAR command line executables to create or update an archive when a password is specified. By detecting based on the command line we can avert attempts to dodge detection by renaming the application.
Happy hunting!
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Collection
- Exfiltration
query: |
DeviceProcessEvents
| where ProcessCommandLine matches regex @"\s[aukfAUKF]\s.*\s-p" // Basic filter to look for launch string
| extend SplitLaunchString = split(ProcessCommandLine, ' ') // Split on the space
| where array_length(SplitLaunchString) >= 5 and SplitLaunchString[1] in~ ('a','u','k','f') // look for calls to archive or update an archive specifically as the first argument
| mv-expand SplitLaunchString // cross apply the array
| where SplitLaunchString startswith "-p" // -p is the password switch and is immediately followed by a password without a space
| extend ArchivePassword = substring(SplitLaunchString, 2, strlen(SplitLaunchString))
| project-reorder ProcessCommandLine, ArchivePassword // Promote these fields to the left
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Administrator Creates a Password-Protected Archive for Data Backup
Filter/Exclusion: Check for the presence of known backup tools (e.g., rsync, tar, zip with admin credentials) and filter by user or group (e.g., root, backup_user).
Example Filter: user.name == "backup_user" || process.name == "tar" || process.name == "zip"
Scenario: Scheduled Job for Archiving Logs with Password Protection
Filter/Exclusion: Identify scheduled tasks (e.g., via cron, systemd, or Task Scheduler) that are known to archive logs. Exclude tasks with specific job names or paths (e.g., /opt/log_archive.sh).
Example Filter: process.name == "cron" || process.name == "systemd" || file.path == "/opt/log_archive.sh"
Scenario: IT Team Packages Software with a Password for Distribution
Filter/Exclusion: Exclude activities involving known software packaging tools (e.g., 7-Zip, WinRAR, tar, zip) used by IT teams. Filter by user or by file paths associated with software distribution (e.g., /var/software/).
Example Filter: process.name == "7-Zip" || process.name == "zip" || file.path == "/var/software/"
Scenario: User Creates a Password-Protected Archive for Personal Use
Filter/Exclusion: Exclude users with non-privileged accounts or those who frequently create archives in personal directories. Use user-based filtering or check for archive creation in user home directories.
Example Filter: user.name != "root" && file.path == "/home/*/"
Scenario: Password-Protected Archive Used for Compliance or Legal Purposes
Filter/Exclusion: Identify archives created