SigmaHQ/rules/windows/process_creation/win_susp_rar_flags.yml

title: Rar with Password or Compression Level 
id: faa48cae-6b25-4f00-a094-08947fef582f
status: experimental
description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. 
references:
    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
author: '@ROxPinTeddy'
date: 2020/05/12
tags:
    - attack.exfiltration
    - attack.t1002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
       CommandLine|contains|all:
               - ' -hp'
               - ' -m'
    condition: selection
falsepositives:
    - Legitimate use of Winrar command line version
    - Other command line tools, that use these flags
level: medium
rule: suspicious rar flags 2020-07-01 07:04:26 +00:00			`title: Rar with Password or Compression Level`
			`id: faa48cae-6b25-4f00-a094-08947fef582f`
			`status: experimental`
			`description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.`
			`references:`
			`- https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/`
			`author: '@ROxPinTeddy'`
			`date: 2020/05/12`
			`tags:`
			`- attack.exfiltration`
			`- attack.t1002`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
fix: rar flags rule caused too many FPs 2020-07-03 11:20:24 +00:00			`CommandLine\|contains\|all:`
rule: suspicious rar flags 2020-07-01 07:04:26 +00:00			`- ' -hp'`
			`- ' -m'`
			`condition: selection`
			`falsepositives:`
			`- Legitimate use of Winrar command line version`
			`- Other command line tools, that use these flags`
			`level: medium`