Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/02"
3integration = ["network_traffic", "panw"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining
11initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for
12adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be
13atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
14"""
15false_positives = [
16 """
17 Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be
18 tailored to either exclude systems as sources or destinations in which this behavior is expected.
19 """,
20]
21from = "now-9m"
22index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
32
33RAR files and PowerShell scripts are powerful tools in IT environments, used for data compression and task automation, respectively. However, adversaries exploit these for malicious purposes, such as downloading encrypted tools to evade detection. The detection rule identifies unusual downloads of these files from external sources, flagging potential threats by monitoring network traffic and excluding trusted internal IP ranges.
34
35### Possible investigation steps
36
37- Review the network traffic logs to identify the internal host that initiated the download, focusing on the source IP addresses within the ranges 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
38- Examine the destination IP address of the download to determine if it is associated with known malicious activity or if it is an unusual external IP not typically accessed by the organization.
39- Analyze the downloaded file's URL extension or path to confirm if it matches .ps1 or .rar, and assess whether this is expected behavior for the identified host or user.
40- Check the internal host's recent activity for any signs of lateral movement or further suspicious downloads, which could indicate a broader compromise.
41- Investigate the user account associated with the internal host to verify if the download aligns with their typical usage patterns and permissions.
42- Utilize threat intelligence sources to gather additional context on the downloaded file or the external IP address to assess potential risks or known threats.
43
44### False positive analysis
45
46- Internal software updates or legitimate administrative scripts may trigger the rule. To manage this, create exceptions for known internal update servers or trusted administrative IP addresses.
47- Automated backup processes that use RAR files for compression can be mistaken for threats. Exclude IP addresses or domains associated with these backup services from the rule.
48- Development environments often download scripts for testing purposes. Identify and exclude IP ranges or specific hosts associated with development activities to prevent false positives.
49- Security tools that download threat intelligence or updates in RAR format might be flagged. Whitelist the IP addresses of these security tools to avoid unnecessary alerts.
50- Regularly review and update the list of trusted internal IP ranges to ensure that legitimate traffic is not incorrectly flagged as suspicious.
51
52### Response and remediation
53
54- Isolate the affected host from the network immediately to prevent further lateral movement or data exfiltration.
55- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any malicious files or scripts.
56- Review and analyze network logs to identify any other potentially compromised systems or unusual outbound connections that may indicate further compromise.
57- Reset credentials and access tokens for the affected host and any other systems that may have been accessed using the compromised host.
58- Restore the affected system from a known good backup if malware removal is not feasible or if the system's integrity is in question.
59- Implement network segmentation to limit the ability of threats to move laterally within the network in the future.
60- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery efforts.
61
62## Threat intel
63
64This activity has been observed in FIN7 campaigns."""
65references = [
66 "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
67 "https://www.justice.gov/opa/press-release/file/1084361/download",
68 "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
69]
70risk_score = 47
71rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
72severity = "medium"
73tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS", "Resources: Investigation Guide"]
74timestamp_override = "event.ingested"
75type = "query"
76
77query = '''
78(event.dataset: (network_traffic.http or network_traffic.tls) or
79 (event.category: (network or network_traffic) and network.protocol: http)) and
80 (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and
81 not destination.ip:(
82 10.0.0.0/8 or
83 127.0.0.0/8 or
84 169.254.0.0/16 or
85 172.16.0.0/12 or
86 192.0.0.0/24 or
87 192.0.0.0/29 or
88 192.0.0.8/32 or
89 192.0.0.9/32 or
90 192.0.0.10/32 or
91 192.0.0.170/32 or
92 192.0.0.171/32 or
93 192.0.2.0/24 or
94 192.31.196.0/24 or
95 192.52.193.0/24 or
96 192.168.0.0/16 or
97 192.88.99.0/24 or
98 224.0.0.0/4 or
99 100.64.0.0/10 or
100 192.175.48.0/24 or
101 198.18.0.0/15 or
102 198.51.100.0/24 or
103 203.0.113.0/24 or
104 240.0.0.0/4 or
105 "::1" or
106 "FE80::/10" or
107 "FF00::/8"
108 ) and
109 source.ip:(
110 10.0.0.0/8 or
111 172.16.0.0/12 or
112 192.168.0.0/16
113 )
114'''
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1105"
121name = "Ingress Tool Transfer"
122reference = "https://attack.mitre.org/techniques/T1105/"
123
124
125[rule.threat.tactic]
126id = "TA0011"
127name = "Command and Control"
128reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
RAR files and PowerShell scripts are powerful tools in IT environments, used for data compression and task automation, respectively. However, adversaries exploit these for malicious purposes, such as downloading encrypted tools to evade detection. The detection rule identifies unusual downloads of these files from external sources, flagging potential threats by monitoring network traffic and excluding trusted internal IP ranges.
Possible investigation steps
- Review the network traffic logs to identify the internal host that initiated the download, focusing on the source IP addresses within the ranges 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
- Examine the destination IP address of the download to determine if it is associated with known malicious activity or if it is an unusual external IP not typically accessed by the organization.
- Analyze the downloaded file's URL extension or path to confirm if it matches .ps1 or .rar, and assess whether this is expected behavior for the identified host or user.
- Check the internal host's recent activity for any signs of lateral movement or further suspicious downloads, which could indicate a broader compromise.
- Investigate the user account associated with the internal host to verify if the download aligns with their typical usage patterns and permissions.
- Utilize threat intelligence sources to gather additional context on the downloaded file or the external IP address to assess potential risks or known threats.
False positive analysis
- Internal software updates or legitimate administrative scripts may trigger the rule. To manage this, create exceptions for known internal update servers or trusted administrative IP addresses.
- Automated backup processes that use RAR files for compression can be mistaken for threats. Exclude IP addresses or domains associated with these backup services from the rule.
- Development environments often download scripts for testing purposes. Identify and exclude IP ranges or specific hosts associated with development activities to prevent false positives.
- Security tools that download threat intelligence or updates in RAR format might be flagged. Whitelist the IP addresses of these security tools to avoid unnecessary alerts.
- Regularly review and update the list of trusted internal IP ranges to ensure that legitimate traffic is not incorrectly flagged as suspicious.
Response and remediation
- Isolate the affected host from the network immediately to prevent further lateral movement or data exfiltration.
- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any malicious files or scripts.
- Review and analyze network logs to identify any other potentially compromised systems or unusual outbound connections that may indicate further compromise.
- Reset credentials and access tokens for the affected host and any other systems that may have been accessed using the compromised host.
- Restore the affected system from a known good backup if malware removal is not feasible or if the system's integrity is in question.
- Implement network segmentation to limit the ability of threats to move laterally within the network in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery efforts.
Threat intel
This activity has been observed in FIN7 campaigns.
References
Related rules
- Accepted Default Telnet Port Connection
- IPSEC NAT Traversal Port Activity
- Possible FIN7 DGA Command and Control Behavior
- RDP (Remote Desktop Protocol) from the Internet
- SMTP on Port 26/TCP