LoFP
/
t1560.001
t1560.001
Title
Tags
false positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.
t1560
t1560.001
endpoint
splunk
generally used to copy configs or ios images
t1074
t1105
t1560
t1560.001
cisco
sigma
highly likely if rar is a default archiver in the monitored environment.
t1560
t1560.001
windows
sigma
legitimate activity is expected since compressing files with a password is common.
t1560
t1560.001
windows
sigma
legitimate activity is expected since extracting files with a password can be common in some environment.
t1560
t1560.001
windows
sigma
legitimate use of 7z to compress wer \".dmp\" files for troubleshooting
t1560
t1560.001
windows
sigma
legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally
t1560
t1560.001
windows
sigma
legitimate use of archiving tools by legitimate user.
t1560
t1560.001
linux
sigma
legitimate use of winrar command line version
t1560
t1560.001
windows
sigma
legitimate use of winrar in a folder of a software that bundles winrar
t1560
t1560.001
windows
sigma
legitimate use of winrar to compress wer \".dmp\" files for troubleshooting
t1560
t1560.001
windows
sigma
legitimate use of winrar with a command line in which \".dmp\" or \".dump\" appears accidentally
t1560
t1560.001
windows
sigma
likely
t1006
t1059
t1059.001
t1082
t1091
t1200
t1217
t1482
t1560
t1560.001
t1562
windows
linux
sigma
limited false positives, however this analytic will need to be modified for each environment if sysmon is not used.
t1560
t1560.001
endpoint
splunk
other command line tools, that use these flags
t1560
t1560.001
windows
sigma
some false positives could occur with the admin or guest account. it depends on the scripts being used by the admins in your env. if you experience a lot of fp you could reduce the level to medium
t1560
t1560.001
windows
sigma
user and network administrator can execute this command.
t1070
t1560
t1560.001
endpoint
splunk
LoFP
/
t1560.001