Files Added To An Archive Using Rar.EXE
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Sigma rule (View on GitHub)
1title: Files Added To An Archive Using Rar.EXE
2id: 6f3e2987-db24-4c78-a860-b4f4095a7095
3status: test
4description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
7 - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
8author: Timur Zinniatullin, E.M. Anhaus, oscd.community
9date: 2019-10-21
10modified: 2023-02-05
11tags:
12 - attack.collection
13 - attack.t1560.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\rar.exe'
20 CommandLine|contains: ' a '
21 condition: selection
22falsepositives:
23 - Highly likely if rar is a default archiver in the monitored environment.
24level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- 7Zip Compressing Dump Files
- Cisco Stage Data
- Compress Data and Lock With Password for Exfiltration With 7-ZIP
- Compress Data and Lock With Password for Exfiltration With WINZIP
- Rar Usage with Password and Compression Level