Winrar Execution in Non-Standard Folder

 1title: Winrar Execution in Non-Standard Folder
 2id: 4ede543c-e098-43d9-a28f-dd784a13132f
 3status: test
 4description: Detects a suspicious winrar execution in a folder which is not the default installation folder
 5references:
 6    - https://twitter.com/cyb3rops/status/1460978167628406785
 7author: Florian Roth (Nextron Systems), Tigzy
 8date: 2021-11-17
 9modified: 2023-08-31
10tags:
11    - attack.collection
12    - attack.t1560.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith:
19              - '\rar.exe'
20              - '\winrar.exe'
21        - Description: 'Command line RAR'
22    filter_main_unrar:
23        # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression
24        Image|endswith: '\UnRAR.exe'
25    filter_main_path:
26        Image|contains:
27            - ':\Program Files (x86)\WinRAR\'
28            - ':\Program Files\WinRAR\'
29    filter_optional_temp:
30        # Note: in some occasion installers were seen dropping "rar" in TEMP
31        Image|contains: ':\Windows\Temp\'
32    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
33falsepositives:
34    - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
35level: medium