title: Rar Usage with Password and Compression Level
id: faa48cae-6b25-4f00-a094-08947fef582f
status: test
description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
references:
    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
    - https://ss64.com/bash/rar.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-03-16
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_password:
        CommandLine|contains: ' -hp'
    selection_other:
        CommandLine|contains:
            - ' -m'
            - ' a '
    condition: selection_password and selection_other
falsepositives:
    - Legitimate use of Winrar command line version
    - Other command line tools, that use these flags
level: high

title: Suspicious Manipulation Of Default Accounts Via Net.EXE
id: 5b768e71-86f2-4879-b448-81061cbae951
status: test
description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
references:
    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_user_option:
        CommandLine|contains: ' user '
    selection_username:
        CommandLine|contains:
            # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
            - ' Järjestelmänvalvoja ' # Finish
            - ' Rendszergazda ' # Hungarian
            - ' Администратор ' # Russian
            - ' Administrateur ' # French
            - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
            - ' Administratör ' # Swedish
            - ' Administrator ' # English
            - ' guest '
            - ' DefaultAccount '
            # The cases below are for when an attacker requests the net command via 'cmd /c....'
            # First in double quotes
            - ' "Järjestelmänvalvoja" ' # Finish
            - ' "Rendszergazda" ' # Hungarian
            - ' "Администратор" ' # Russian
            - ' "Administrateur" ' # French
            - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
            - ' "Administratör" ' # Swedish
            - ' "Administrator" ' # English
            - ' "guest" '
            - ' "DefaultAccount" '
            # Second in single quotes
            - " 'Järjestelmänvalvoja' " # Finish
            - " 'Rendszergazda' " # Hungarian
            - " 'Администратор' " # Russian
            - " 'Administrateur' " # French
            - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
            - " 'Administratör' " # Swedish
            - " 'Administrator' " # English
            - " 'guest' "
            - " 'DefaultAccount' "
    filter:
        CommandLine|contains|all:
            - 'guest'
            - '/active no'
    condition: all of selection_* and not filter
falsepositives:
    - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
level: high

title: 7Zip Compressing Dump Files
id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
related:
    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
      type: derived
status: test
description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2023-09-12
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7zr.exe'
              - '\7za.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
    selection_extension:
        CommandLine|contains:
            - '.dmp'
            - '.dump'
            - '.hdmp'
    condition: all of selection_*
falsepositives:
    - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
    - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
level: medium

title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
id: 9fbf5927-5261-4284-a71d-f681029ea574
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2023-03-13
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7zr.exe'
              - '\7za.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
    selection_password:
        CommandLine|contains: ' -p'
    selection_action:
        CommandLine|contains:
            - ' a '
            - ' u '
    condition: all of selection_*
falsepositives:
    - Legitimate activity is expected since compressing files with a password is common.
level: medium

title: Compress Data and Lock With Password for Exfiltration With WINZIP
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_winzip:
        CommandLine|contains:
            - 'winzip.exe'
            - 'winzip64.exe'
    selection_password:
        CommandLine|contains: '-s"'
    selection_other:
        CommandLine|contains:
            - ' -min '
            - ' -a '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Disk Image Mounting Via Hdiutil - MacOS
id: bf241472-f014-4f01-a869-96f99330ca8c
status: test
description: Detects the execution of the hdiutil utility in order to mount disk images.
references:
    - https://www.loobins.io/binaries/hdiutil/
    - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
    - https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
    - attack.initial-access
    - attack.collection
    - attack.t1566.001
    - attack.t1560.001
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: /hdiutil
        CommandLine|contains:
            - 'attach '
            - 'mount '
    condition: selection
falsepositives:
    - Legitimate usage of hdiutil by administrators and users.
level: medium

title: WinRAR Execution in Non-Standard Folder
id: 4ede543c-e098-43d9-a28f-dd784a13132f
status: test
description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder
references:
    - https://twitter.com/cyb3rops/status/1460978167628406785
author: Florian Roth (Nextron Systems), Tigzy
date: 2021-11-17
modified: 2025-07-16
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\rar.exe'
              - '\winrar.exe'
        - Description:
              - 'Command line RAR'
              - 'WinRAR'
    filter_main_unrar:
        # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression
        Image|endswith: '\UnRAR.exe'
    filter_main_path:
        Image|contains:
            - ':\Program Files (x86)\WinRAR\'
            - ':\Program Files\WinRAR\'
    filter_optional_temp:
        # Note: in some occasion installers were seen dropping "rar" in TEMP
        Image|contains: ':\Windows\Temp\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
level: medium

title: Winrar Compressing Dump Files
id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
related:
    - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
      type: similar
status: test
description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2023-09-12
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\rar.exe'
              - '\winrar.exe'
        - Description: 'Command line RAR'
    selection_extension:
        CommandLine|contains:
            - '.dmp'
            - '.dump'
            - '.hdmp'
    condition: all of selection_*
falsepositives:
    - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally
    - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting
level: medium

title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: test
description: Various protocols maybe used to put data on the device for exfil or infil
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.collection
    - attack.lateral-movement
    - attack.command-and-control
    - attack.exfiltration
    - attack.t1074
    - attack.t1105
    - attack.t1560.001
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'tftp'
        - 'rcp'
        - 'puts'
        - 'copy'
        - 'configure replace'
        - 'archive tar'
    condition: keywords
falsepositives:
    - Generally used to copy configs or IOS images
level: low

title: Compressed File Creation Via Tar.EXE
id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9
status: test
description: |
    Detects execution of "tar.exe" in order to create a compressed file.
    Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
references:
    - https://unit42.paloaltonetworks.com/chromeloader-malware/
    - https://lolbas-project.github.io/lolbas/Binaries/Tar/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: Nasreddine Bencherchali (Nextron Systems), AdmU3
date: 2023-12-19
tags:
    - attack.collection
    - attack.exfiltration
    - attack.t1560
    - attack.t1560.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tar.exe'
        - OriginalFileName: 'bsdtar'
    selection_create:
        CommandLine|contains:
            - '-c'
            - '-r'
            - '-u'
    condition: all of selection_*
falsepositives:
    - Likely
level: low

title: Compressed File Extraction Via Tar.EXE
id: bf361876-6620-407a-812f-bfe11e51e924
status: test
description: |
    Detects execution of "tar.exe" in order to extract compressed file.
    Adversaries may abuse various utilities in order to decompress data to avoid detection.
references:
    - https://unit42.paloaltonetworks.com/chromeloader-malware/
    - https://lolbas-project.github.io/lolbas/Binaries/Tar/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: AdmU3
date: 2023-12-19
tags:
    - attack.collection
    - attack.exfiltration
    - attack.t1560
    - attack.t1560.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tar.exe'
        - OriginalFileName: 'bsdtar'
    selection_extract:
        CommandLine|contains: '-x'
    condition: all of selection_*
falsepositives:
    - Likely
level: low

title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: test
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-07-28
tags:
    - attack.exfiltration
    - attack.collection
    - attack.t1560.001
logsource:
    product: linux
    service: auditd
detection:
    selection1:
        type: 'execve'
        a0: 'zip'
    selection2:
        type: 'execve'
        a0: 'gzip'
        a1: '-k'
    selection3:
        type: 'execve'
        a0: 'tar'
        a1|contains: '-c'
    condition: 1 of selection*
falsepositives:
    - Legitimate use of archiving tools by legitimate user.
level: low

title: Files Added To An Archive Using Rar.EXE
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: test
description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
    - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rar.exe'
        CommandLine|contains: ' a '
    condition: selection
falsepositives:
    - Highly likely if rar is a default archiver in the monitored environment.
level: low