[metadata] creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" updated_date = "2026/03/24" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. """ from = "now-119m" index = ["logs-endpoint.events.library-*"] interval = "60m" language = "eql" license = "Elastic License v2" name = "Compression DLL Loaded by Unusual Process" risk_score = 21 rule_id = "d197478e-39f0-4347-a22f-ba654718b148" severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "eql" query = ''' library where host.os.type == "windows" and event.action == "load" and dll.name : ("System.IO.Compression.FileSystem.ni.dll", "System.IO.Compression.ni.dll") and not ( ( process.executable : ( "?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe", "?:\\Windows\\System32\\sdiagnhost.exe", "?:\\Windows\\System32\\inetsrv\\w3wp.exe", "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe", "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\*\\OpenHandleCollector.exe" ) and process.code_signature.trusted == true ) or ( process.name : "NuGet.exe" and process.code_signature.trusted == true and user.id : ("S-1-5-18", "S-1-5-20") ) ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" [[rule.threat.technique.subtechnique]] id = "T1560.002" name = "Archive via Library" reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/"