WinRAR Execution in Non-Standard Folder

 1title: WinRAR Execution in Non-Standard Folder
 2id: 4ede543c-e098-43d9-a28f-dd784a13132f
 3status: test
 4description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder
 5references:
 6    - https://twitter.com/cyb3rops/status/1460978167628406785
 7author: Florian Roth (Nextron Systems), Tigzy
 8date: 2021-11-17
 9modified: 2025-07-16
10tags:
11    - attack.collection
12    - attack.t1560.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith:
19              - '\rar.exe'
20              - '\winrar.exe'
21        - Description:
22              - 'Command line RAR'
23              - 'WinRAR'
24    filter_main_unrar:
25        # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression
26        Image|endswith: '\UnRAR.exe'
27    filter_main_path:
28        Image|contains:
29            - ':\Program Files (x86)\WinRAR\'
30            - ':\Program Files\WinRAR\'
31    filter_optional_temp:
32        # Note: in some occasion installers were seen dropping "rar" in TEMP
33        Image|contains: ':\Windows\Temp\'
34    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
35falsepositives:
36    - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
37level: medium