rule: suspicious rar flags

rules/windows/process_creation/win_susp_rar_flags.yml

@@ -0,0 +1,24 @@
+title: Rar with Password or Compression Level 
+id: faa48cae-6b25-4f00-a094-08947fef582f
+status: experimental
+description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. 
+references:
+    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
+author: '@ROxPinTeddy'
+date: 2020/05/12
+tags:
+    - attack.exfiltration
+    - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+       CommandLine|contains:
+               - ' -hp'
+               - ' -m'
+    condition: selection
+falsepositives:
+    - Legitimate use of Winrar command line version
+    - Other command line tools, that use these flags
+level: medium