Rar Usage with Password and Compression Level

calendar Mar 2, 2023 · attack.collection attack.t1560.001  ·
Share on: linkedin copy

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Sigma rule (View on GitHub)

 1title: Rar Usage with Password and Compression Level
 2id: faa48cae-6b25-4f00-a094-08947fef582f
 3status: test
 4description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
 5references:
 6    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
 7    - https://ss64.com/bash/rar.html
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
 9author: '@ROxPinTeddy'
10date: 2020/05/12
11modified: 2022/03/16
12tags:
13    - attack.collection
14    - attack.t1560.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_password:
20        CommandLine|contains: ' -hp'
21    selection_other:
22        CommandLine|contains:
23            - ' -m'
24            - ' a '
25    condition: selection_password and selection_other
26falsepositives:
27    - Legitimate use of Winrar command line version
28    - Other command line tools, that use these flags
29level: high

References

Related rules

to-top