SigmaHQ/rules/windows/process_creation/win_data_compressed_with_rar.yml

title: Data Compressed
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
    - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rar.exe'
        CommandLine|contains: ' a '
    condition: selection
fields:
    - Image
    - CommandLine
    - User
    - LogonGuid
    - Hashes
    - ParentProcessGuid
    - ParentCommandLine
falsepositives:
    - highly likely if rar is default archiver in the monitored environment
level: low
tags:
    - attack.exfiltration
    - attack.t1002
OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar 2019-10-22 11:00:52 +00:00			`title: Data Compressed`
			`status: experimental`
			`description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network`
modify rules based on BSI contribution 2019-11-13 21:23:16 +00:00			`author: Timur Zinniatullin, E.M. Anhaus, oscd.community`
Update and rename win_data_compressed.yml to win_data_compressed_with_rar.yml 2019-11-04 19:55:32 +00:00			`date: 2019/10/21`
			`modified: 2019/11/04`
OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar 2019-10-22 11:00:52 +00:00			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml`
modify rules based on BSI contribution 2019-11-13 21:23:16 +00:00			`- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html`
OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar 2019-10-22 11:00:52 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Update and rename win_data_compressed.yml to win_data_compressed_with_rar.yml 2019-11-04 19:55:32 +00:00			`selection:`
add modifiers 2019-11-07 22:34:30 +00:00			`Image\|endswith: '\rar.exe'`
modify rules based on BSI contribution 2019-11-13 21:23:16 +00:00			`CommandLine\|contains: ' a '`
Update and rename win_data_compressed.yml to win_data_compressed_with_rar.yml 2019-11-04 19:55:32 +00:00			`condition: selection`
OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar 2019-10-22 11:00:52 +00:00			`fields:`
			`- Image`
			`- CommandLine`
			`- User`
			`- LogonGuid`
			`- Hashes`
			`- ParentProcessGuid`
			`- ParentCommandLine`
			`falsepositives:`
Update and rename win_data_compressed.yml to win_data_compressed_with_rar.yml 2019-11-04 19:55:32 +00:00			`- highly likely if rar is default archiver in the monitored environment`
OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar 2019-10-22 11:00:52 +00:00			`level: low`
			`tags:`
			`- attack.exfiltration`
			`- attack.t1002`