← Back to Explore
sigmamediumHunting
Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.
Detection Query
selection_parent:
ParentImage|endswith: \WinRAR.exe
selection_binaries:
- Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- OriginalFileName:
- Cmd.Exe
- cscript.exe
- mshta.exe
- PowerShell.EXE
- pwsh.dll
- regsvr32.exe
- RUNDLL32.EXE
- wscript.exe
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-08-31
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1203
Raw Content
title: Potentially Suspicious Child Process Of WinRAR.EXE
id: 146aace8-9bd6-42ba-be7a-0070d8027b76
related:
- id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
type: similar
status: test
description: Detects potentially suspicious child processes of WinRAR.exe.
references:
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
- attack.execution
- attack.t1203
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\WinRAR.exe'
selection_binaries:
# Note: add additional binaries that the attacker might use
- Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'cscript.exe'
- 'mshta.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'RUNDLL32.EXE'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium