Compressed File Extraction Via Tar.EXE
Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
Sigma rule (View on GitHub)
1title: Compressed File Extraction Via Tar.EXE
2id: bf361876-6620-407a-812f-bfe11e51e924
3status: test
4description: |
5 Detects execution of "tar.exe" in order to extract compressed file.
6 Adversaries may abuse various utilities in order to decompress data to avoid detection.
7references:
8 - https://unit42.paloaltonetworks.com/chromeloader-malware/
9 - https://lolbas-project.github.io/lolbas/Binaries/Tar/
10 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
11author: AdmU3
12date: 2023-12-19
13tags:
14 - attack.collection
15 - attack.exfiltration
16 - attack.t1560
17 - attack.t1560.001
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 - Image|endswith: '\tar.exe'
24 - OriginalFileName: 'bsdtar'
25 selection_extract:
26 CommandLine|contains: '-x'
27 condition: all of selection_*
28falsepositives:
29 - Likely
30level: low
References
-
A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries.
Read More -
Tar.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Evidence that advanced persistent threat group Cicada is behind attack campaign targeting companies in 17 regions and multiple sectors.
Read More
Related rules
- Compressed File Creation Via Tar.EXE
- Cisco Stage Data
- 7Zip Compressing Dump Files
- AWS EC2 VM Export Failure
- Compress Data and Lock With Password for Exfiltration With 7-ZIP