AdmU3
6bab8fe4dc
new: Compressed File Creation Via Tar.EXE new: Compressed File Extraction Via Tar.EXE --------- Co-authored-by: Admu3 <ahhyy.1405@gmail.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
31 lines
959 B
YAML
31 lines
959 B
YAML
title: Compressed File Extraction Via Tar.EXE
|
|
id: bf361876-6620-407a-812f-bfe11e51e924
|
|
status: experimental
|
|
description: |
|
|
Detects execution of "tar.exe" in order to extract compressed file.
|
|
Adversaries may abuse various utilities in order to decompress data to avoid detection.
|
|
references:
|
|
- https://unit42.paloaltonetworks.com/chromeloader-malware/
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Tar/
|
|
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
|
|
author: AdmU3
|
|
date: 2023/12/19
|
|
tags:
|
|
- attack.collection
|
|
- attack.exfiltration
|
|
- attack.t1560
|
|
- attack.t1560.001
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\tar.exe'
|
|
- OriginalFileName: 'bsdtar'
|
|
selection_extract:
|
|
CommandLine|contains: '-x'
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Likely
|
|
level: low
|