security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/process_creation/proc_creation_win_winrar_execution.yml
T
Nasreddine Bencherchali e3503d5d60 feat: more updates
2023-03-06 00:39:26 +01:00

31 lines
894 B
YAML
Raw Blame History

title: Winrar Execution in Non-Standard Folder
id: 4ede543c-e098-43d9-a28f-dd784a13132f
status: test
description: Detects a suspicious winrar execution in a folder which is not the default installation folder
references:
- https://twitter.com/cyb3rops/status/1460978167628406785
author: Florian Roth (Nextron Systems), Tigzy
date: 2021/11/17
modified: 2022/12/25
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\rar.exe'
- '\winrar.exe'
- Description: 'Command line RAR'
filter:
Image|contains:
- '\WinRAR'
- 'C:\Windows\Temp'
- '\UnRAR.exe'
condition: selection and not filter
falsepositives:
- Legitimate use of WinRAR in a folder of a software that bundles WinRAR
level: high
Reference in New Issue View Git Blame Copy Permalink