legitimate use of winrar command line version

t1560
t1560.001
windows
sigma

Techniques

t1560
t1560.001

Sample rules

Rar Usage with Password and Compression Level

source: sigma
technicques:
- t1560
- t1560.001

Description

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Detection logic

condition: selection_password and selection_other
selection_other:
  CommandLine|contains:
  - ' -m'
  - ' a '
selection_password:
  CommandLine|contains: ' -hp'