Compressed File Creation Via Tar.EXE
Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Sigma rule (View on GitHub)
1title: Compressed File Creation Via Tar.EXE
2id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9
3status: test
4description: |
5 Detects execution of "tar.exe" in order to create a compressed file.
6 Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
7references:
8 - https://unit42.paloaltonetworks.com/chromeloader-malware/
9 - https://lolbas-project.github.io/lolbas/Binaries/Tar/
10 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
11author: Nasreddine Bencherchali (Nextron Systems), AdmU3
12date: 2023-12-19
13tags:
14 - attack.collection
15 - attack.exfiltration
16 - attack.t1560
17 - attack.t1560.001
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 - Image|endswith: '\tar.exe'
24 - OriginalFileName: 'bsdtar'
25 selection_create:
26 CommandLine|contains:
27 - '-c'
28 - '-r'
29 - '-u'
30 condition: all of selection_*
31falsepositives:
32 - Likely
33level: low
References
-
A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries.
Read More -
Tar.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Evidence that advanced persistent threat group Cicada is behind attack campaign targeting companies in 17 regions and multiple sectors.
Read More
Related rules
- Compressed File Extraction Via Tar.EXE
- Cisco Stage Data
- 7Zip Compressing Dump Files
- AWS EC2 VM Export Failure
- Compress Data and Lock With Password for Exfiltration With 7-ZIP