Merge pull request #1748 from frack113/update_win_susp_rar_flags.yml

update win_susp_rar_flags.yml
2024-11-07 09:48:58 +00:00 · 2021-07-28 16:23:14 +02:00 · 2021-07-28 16:23:14 +02:00 · c3eced4ae7
commit c3eced4ae7
parent dc4380d459 8b82fbf36b
1 changed files with 10 additions and 5 deletions
--- a/rules/windows/process_creation/win_susp_rar_flags.yml
+++ b/rules/windows/process_creation/win_susp_rar_flags.yml
@ -1,12 +1,14 @@
 title: Rar with Password or Compression Level 
 id: faa48cae-6b25-4f00-a094-08947fef582f
 status: experimental
-description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. 
+description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
 references:
    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
+    - https://ss64.com/bash/rar.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
 author: '@ROxPinTeddy'
 date: 2020/05/12
-modified: 2020/08/28
+modified: 2021/07/27
 tags:
    - attack.collection
    - attack.t1560.001
@ -16,11 +18,14 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-       CommandLine|contains|all:
+    selection_password:
+       CommandLine|contains:
               - ' -hp'
+    selection_other:
+       CommandLine|contains:
               - ' -m'
-    condition: selection
+               - ' a '
+    condition: selection_password and selection_other
 falsepositives:
    - Legitimate use of Winrar command line version
    - Other command line tools, that use these flags