← Back to Explore
sigmalowHunting
Files Added To An Archive Using Rar.EXE
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Detection Query
selection:
Image|endswith: \rar.exe
CommandLine|contains: " a "
condition: selection
Author
Timur Zinniatullin, E.M. Anhaus, oscd.community
Created
2019-10-21
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.collectionattack.t1560.001
Raw Content
title: Files Added To An Archive Using Rar.EXE
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: test
description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rar.exe'
CommandLine|contains: ' a '
condition: selection
falsepositives:
- Highly likely if rar is a default archiver in the monitored environment.
level: low