Winrar Compressing Dump Files
Detects a suspicious winrar execution that involves a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration
Sigma rule (View on GitHub)
1title: Winrar Compressing Dump Files
2id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
3related:
4 - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
5 type: similar
6status: experimental
7description: Detects a suspicious winrar execution that involves a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration
8references:
9 - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
10author: Florian Roth (Nextron Systems)
11date: 2022/01/04
12modified: 2023/03/10
13tags:
14 - attack.collection
15 - attack.t1560.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\rar.exe'
23 - '\winrar.exe'
24 - Description: 'Command line RAR'
25 selection_extension:
26 CommandLine|contains:
27 - '.dmp'
28 - '.dump'
29 condition: all of selection_*
30falsepositives:
31 - Legitimate use of WinRAR with a command line in which .dmp appears accidentally
32level: high