← Back to Explore
sigmamediumHunting
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
Detection Query
selection:
OriginalFileName:
- 7z*.exe
- "*rar.exe"
- "*Command*Line*RAR*"
CommandLine|contains:
- " -p"
- " -ta"
- " -tb"
- " -sdel"
- " -dw"
- " -hp"
filter_main_generic:
ParentImage|contains:
- :\Program Files\
- :\Program Files (x86)\
condition: selection and not 1 of filter_main_*
Author
Florian Roth (Nextron Systems), Samir Bousseaden
Created
2019-10-15
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.collectionattack.t1560.001detection.threat-hunting
Raw Content
title: Potentially Suspicious Compression Tool Parameters
id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
status: test
description: Detects potentially suspicious command line arguments of common data compression tools
references:
- https://twitter.com/SBousseaden/status/1184067445612535811
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2019-10-15
modified: 2023-08-29
tags:
- attack.collection
- attack.t1560.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
CommandLine|contains:
- ' -p'
- ' -ta'
- ' -tb'
- ' -sdel'
- ' -dw'
- ' -hp'
filter_main_generic:
ParentImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium