Self-extracting archives (SFX) are executables that contain compressed data with a built-in code to extract the data when it executes. They are commonly used for packaging and distributing software installers, portable applications, system recovery or backup files, and securely delivering compressed and encrypted files. Attackers use SFX archives as a delivery mechanism for malware because they are easy to distribute and can disguise as legitimate software.

For many years, benign uses of SFX archives have existed, but recently these archives may include hidden malicious functionality that security detections may overlook. Researchers have found that an empty SFX archive file can also be harmful because it can give hackers a persistent backdoor to a victim’s environment.

Common behaviors of malicious SFX archives

Attackers can configure SFX archives to exhibit various behaviors that pose significant risks to systems and networks. Some of these behaviors include the following: 

  • Unauthorized extraction of files to unexpected locations.
  • Establishing suspicious network connections for command and control communication.
  • Modifying system configurations to ensure persistence and evasion. 
  • Employing evasive techniques such as obfuscation or encryption.
  • Executing unauthorized code and launching malicious processes.
  • Exploiting software vulnerabilities and replacing or modifying legitimate files with malicious counterparts.

These behaviors aim to compromise system integrity, exfiltrate sensitive data, or facilitate further malware propagation. Therefore, it is essential to adopt robust security measures and continuous monitoring to detect and mitigate the threats posed by suspicious SFX archives.

Infrastructure

We use the following infrastructure to demonstrate the detection of SFX archives behaviors with Wazuh.

  • A pre-built ready-to-use Wazuh OVA 4.4.3. Follow this guide to download the virtual machine. This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
  • A Windows 11 victim endpoint with Wazuh agent 4.4.3 installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the following installation guide

Detection with Wazuh

We show how to use Sysmon integration with Wazuh to detect SFX archives behaviors on the Windows 11 endpoint.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture Sysmon logs and send them to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the Sysmon configuration file – sysmonconfig.xml using Powershell. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>

4. Switch to the directory with the Symon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the  C:\Program Files (x86)\ossec-agent\ossec.conf file. This configures the Wazuh agent to collect and forward Sysmon event logs to the Wazuh server.

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect activities performed using SFX archives on the victim endpoint. 

1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="sfx_archives">

  <rule id="100102" level="10">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)[C-Z]:.*.\[7ZipRar_].*sfx.*\*|.*\7z.*</field>
    <description>SFX archive command, $(win.eventdata.CommandLine) invoked the application $(win.eventdata.OriginalFileName).</description>
    <mitre>
      <id>T1490</id>
    </mitre>
  </rule>
  
  <rule id="100103" level="10">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CurrentDirectory" type="pcre2">(?i)[C-Z]:.*.\[7ZipRar_].*sfx.*\*|.*\7z.*</field>
    <description>SFX archive command, $(win.eventdata.CommandLine) executed from $(win.eventdata.CurrentDirectory).</description>
    <mitre>
      <id>T1490</id>
    </mitre>
  </rule>

  <rule id="100104" level="10">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\[7ZipRar_].*sfx.*\*|.*\7z.*</field>
    <description>The file $(win.eventdata.targetFilename) has been created by $(win.eventdata.image). SFX archive activity detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>

  <rule id="100105" level="10">
    <if_sid>92213</if_sid>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\[7ZipRar_].*sfx.*\*|.*\7z.*</field>
    <description>The file $(win.eventdata.targetFilename) has been created by $(win.eventdata.image). SFX archive activity detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>
  
  <rule id="100106" level="10">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.eventType" type="pcre2" >^SetValue$</field>
    <field name="win.eventdata.Image" type="pcre2">(?i)[C-Z]:.*.\[7ZipRar].*sfx.*\.*</field>
    <description>The image, $(win.eventdata.image) made a change to the registry at $(win.eventdata.targetObject). SFX archive activity.</description>   
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>
  
  <rule id="100107" level="10">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.ImageLoaded" type="pcre2">(?i)[C-Z]:.*.\[7ZipRar].*sfx.*exe</field>
    <description>The image $(win.eventdata.image) loaded a file $(win.eventdata.imageLoaded). SFX archive activity detected.</description>
  </rule>
  
  <rule id="100108" level="10">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">(?i)[C-Z]:.*.\[7ZipRar].*sfx.*exe</field>
    <description>The suspicious image, $(win.eventdata.image), loaded the executable $(win.eventdata.imageLoaded). SFX archive activity detected.</description>
  </rule>

</group>

Where:

  • Rule ID 100102 detects when an SFX archive executes command line instructions on the Windows endpoint.
  • Rule ID 100103 detects when an SFX archive executes several commands from the win.eventdata.CurrentDirectory to perform several activities on the Windows endpoint.
  • Rule ID 100104 and Rule ID 100105 detect when an SFX archive with win.eventdata.image creates files on the Windows endpoint.
  • Rule ID 100106 detects when an SFX archive changes registry settings on the Windows endpoint.
  • Rule ID 100107 and Rule ID 100108 detect when an SFX archive loads an image file win.eventdata.imageLoaded on the Windows endpoint.

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

Below is the image of the alerts generated on the Wazuh dashboard when an SFX archive is executed on the Windows endpoint.

From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.

sfx archives

Conclusion

Due to the widespread abuse of SFX archives, it’s important to understand the extended functionality provided by some SFX archives and how adversaries leverage these in their intrusions. In this blog post, we demonstrated how to detect SFX archives behaviors with Wazuh. We utilized Sysmon to enrich logs from the victim endpoint and created rules to detect suspicious activities associated with SFX archives.

Wazuh is an open source security platform with several capabilities to monitor and protect your infrastructure against malicious activities. You can also join our Slack community of professionals and users if you have any questions on this blog post or Wazuh in general.

References