← Back to Explore
sigmalowHunting
Compressed File Extraction Via Tar.EXE
Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
Detection Query
selection_img:
- Image|endswith: \tar.exe
- OriginalFileName: bsdtar
selection_extract:
CommandLine|contains: -x
condition: all of selection_*
Author
AdmU3
Created
2023-12-19
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.collectionattack.exfiltrationattack.t1560attack.t1560.001
Raw Content
title: Compressed File Extraction Via Tar.EXE
id: bf361876-6620-407a-812f-bfe11e51e924
status: test
description: |
Detects execution of "tar.exe" in order to extract compressed file.
Adversaries may abuse various utilities in order to decompress data to avoid detection.
references:
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://lolbas-project.github.io/lolbas/Binaries/Tar/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: AdmU3
date: 2023-12-19
tags:
- attack.collection
- attack.exfiltration
- attack.t1560
- attack.t1560.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\tar.exe'
- OriginalFileName: 'bsdtar'
selection_extract:
CommandLine|contains: '-x'
condition: all of selection_*
falsepositives:
- Likely
level: low