← Back to Explore
sigmalowHunting
Compressed File Creation Via Tar.EXE
Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Detection Query
selection_img:
- Image|endswith: \tar.exe
- OriginalFileName: bsdtar
selection_create:
CommandLine|contains:
- -c
- -r
- -u
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems), AdmU3
Created
2023-12-19
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.collectionattack.exfiltrationattack.t1560attack.t1560.001
Raw Content
title: Compressed File Creation Via Tar.EXE
id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9
status: test
description: |
Detects execution of "tar.exe" in order to create a compressed file.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
references:
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://lolbas-project.github.io/lolbas/Binaries/Tar/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: Nasreddine Bencherchali (Nextron Systems), AdmU3
date: 2023-12-19
tags:
- attack.collection
- attack.exfiltration
- attack.t1560
- attack.t1560.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\tar.exe'
- OriginalFileName: 'bsdtar'
selection_create:
CommandLine|contains:
- '-c'
- '-r'
- '-u'
condition: all of selection_*
falsepositives:
- Likely
level: low