Techniques
Sample rules
Files Added To An Archive Using Rar.EXE
- source: sigma
- technicques:
- t1560
- t1560.001
Description
Detects usage of “rar” to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Detection logic
condition: selection
selection:
CommandLine|contains: ' a '
Image|endswith: \rar.exe