Deployable detection rules
1 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
1 shown of 1Windows Obfuscated Files or Information via RAR SFX
The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.
Show query
`sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*")
| stats count min(_time) as firstTime max(_time) as lastTime
BY action dest file_name
file_path process_guid process_id
user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_obfuscated_files_or_information_via_rar_sfx_filter`Showing 1-1 of 1