Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Rar Usage with Password and Compression Level

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@roxpinteddyCreated Tue May 12Updated Wed Mar 16faa48cae-6b25-4f00-a094-08947fef582fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_password:
        CommandLine|contains: ' -hp'
    selection_other:
        CommandLine|contains:
            - ' -m'
            - ' a '
    condition: selection_password and selection_other
False Positives

Legitimate use of Winrar command line version

Other command line tools, that use these flags

References
1
Resolving title…
labs.sentinelone.com
2
Resolving title…
ss64.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
faa48cae-6b25-4f00-a094-08947fef582f
Status
test
Level
high
Type
Detection
Created
Tue May 12
Modified
Wed Mar 16
Author
@roxpinteddy
Path
rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml
Raw Tags
attack.collectionattack.t1560.001
View on GitHub