Detectionlowtest

Files Added To An Archive Using Rar.EXE

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Timur Zinniatullin, E.M. Anhaus, oscd.communityCreated Mon Oct 21Updated Sun Feb 056f3e2987-db24-4c78-a860-b4f4095a7095windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\rar.exe'
        CommandLine|contains: ' a '
    condition: selection

False Positives

Highly likely if rar is a default archiver in the monitored environment.

References

Resolving title…

github.com

Resolving title…

eqllib.readthedocs.io

MITRE ATT&CK

Tactics

TA0009 · Collection

Sub-techniques

T1560.001 · Archive via Utility

Rule Metadata

Rule ID

6f3e2987-db24-4c78-a860-b4f4095a7095

Status

test

Level

low

Type

Detection

Created

Mon Oct 21

Modified

Sun Feb 05

Author

Timur Zinniatullin, E.M. Anhaus, oscd.community

Path

rules/windows/process_creation/proc_creation_win_rar_compress_data.yml

Raw Tags

attack.collectionattack.t1560.001

View on GitHub