title: Compressed File Extraction Via Tar.EXE
id: bf361876-6620-407a-812f-bfe11e51e924
status: test
description: |
    Detects execution of "tar.exe" in order to extract compressed file.
    Adversaries may abuse various utilities in order to decompress data to avoid detection.
references:
    - https://unit42.paloaltonetworks.com/chromeloader-malware/
    - https://lolbas-project.github.io/lolbas/Binaries/Tar/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: AdmU3
date: 2023-12-19
tags:
    - attack.collection
    - attack.exfiltration
    - attack.t1560
    - attack.t1560.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tar.exe'
        - OriginalFileName: 'bsdtar'
    selection_extract:
        CommandLine|contains: '-x'
    condition: all of selection_*
falsepositives:
    - Likely
level: low