Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Potentially Suspicious Compression Tool Parameters

Detects potentially suspicious command line arguments of common data compression tools

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Samir BousseadenCreated Tue Oct 15Updated Tue Aug 2927a72a60-7e5e-47b1-9d17-909c9abafdcdwindows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        OriginalFileName:
            - '7z*.exe'
            - '*rar.exe'
            - '*Command*Line*RAR*'
        CommandLine|contains:
            - ' -p'
            - ' -ta'
            - ' -tb'
            - ' -sdel'
            - ' -dw'
            - ' -hp'
    filter_main_generic:
        ParentImage|contains:
            - ':\Program Files\'
            - ':\Program Files (x86)\'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
27a72a60-7e5e-47b1-9d17-909c9abafdcd
Status
test
Level
medium
Type
Threat Hunt
Created
Tue Oct 15
Modified
Tue Aug 29
Author
Florian Roth (Nextron Systems), Samir Bousseaden
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml
Raw Tags
attack.collectionattack.t1560.001detection.threat-hunting
View on GitHub