SigmaHQ/rules/windows/process_creation/win_susp_compression_params.yml
2019-11-12 23:12:27 +01:00

35 lines
901 B
YAML

title: Suspicious Compression Tool Parameters
id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
status: experimental
description: Detects suspicious command line arguments of common data compression tools
references:
- https://twitter.com/SBousseaden/status/1184067445612535811
tags:
- attack.exfiltration
- attack.t1020
- attack.t1002
author: Florian Roth, Samir Bousseaden
date: 2019/10/15
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
CommandLine:
- '* -p*'
- '* -ta*'
- '* -tb*'
- '* -sdel*'
- '* -dw*'
- '* -hp*'
falsepositive:
ParentImage: 'C:\Program*'
condition: selection and not falsepositive
falsepositives:
- unknown
level: high