From e38116fce280bc6f6941b3bfab1a94e2e146aaac Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:55:32 +0300 Subject: [PATCH] Update and rename win_data_compressed.yml to win_data_compressed_with_rar.yml --- ...sed.yml => win_data_compressed_with_rar.yml} | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) rename rules/windows/process_creation/{win_data_compressed.yml => win_data_compressed_with_rar.yml} (68%) diff --git a/rules/windows/process_creation/win_data_compressed.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml similarity index 68% rename from rules/windows/process_creation/win_data_compressed.yml rename to rules/windows/process_creation/win_data_compressed_with_rar.yml index 469a946a2..de3ce76ac 100644 --- a/rules/windows/process_creation/win_data_compressed.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -2,19 +2,20 @@ title: Data Compressed status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1002/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml logsource: category: process_creation product: windows detection: - selection1: - Image: - - '*\rar.exe' - CommandLine: - - '* a -r *' - condition: selection1 + selection: + Image: '*\rar.exe' + CommandLine|contains|all: + - ' a ' + - '-r' + condition: selection fields: - Image - CommandLine @@ -24,7 +25,7 @@ fields: - ParentProcessGuid - ParentCommandLine falsepositives: - - highly likely if default archivator in the monitored environment is rar, and even if not + - highly likely if rar is default archiver in the monitored environment level: low tags: - attack.exfiltration