Suspicious Greedy Compression Using Rar.EXE

calendar Jan 10, 2024 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Sigma rule (View on GitHub)

 1title: Suspicious Greedy Compression Using Rar.EXE
 2id: afe52666-401e-4a02-b4ff-5d128990b8cb
 3status: experimental
 4description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
 5references:
 6    - https://decoded.avast.io/martinchlumecky/png-steganography
 7author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
 8date: 2022/12/15
 9modified: 2024/01/02
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    # Example : rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\*.doc c:\\*.docx c:\\*.xls c:\\*.xlsx c:\\*.pdf c:\\*.ppt c:\\*.pptx c:\\*.jpg c:\\*.txt >nul
18    selection_opt_1:
19        - Image|endswith: '\rar.exe'
20        - Description: 'Command line RAR'
21    selection_opt_2:
22        CommandLine|contains:
23            - '.exe a '
24            - ' a -m'
25    selection_cli_flags:
26        CommandLine|contains|all:
27            - ' -hp' # password
28            - ' -r ' # recursive
29    selection_cli_folders:
30        CommandLine|contains:
31            - ' ?:\\\*.'
32            - ' ?:\\\\\*.'
33            - ' ?:\$Recycle.bin\'
34            - ' ?:\PerfLogs\'
35            - ' ?:\Temp'
36            - ' ?:\Users\Public\'
37            - ' ?:\Windows\'
38            - ' %public%'
39    condition: 1 of selection_opt_* and all of selection_cli_*
40falsepositives:
41    - Unknown
42level: high

References

Related rules

to-top