LoFP LoFP / legitimate use of winrar in a folder of a software that bundles winrar

Techniques

Sample rules

Winrar Execution in Non-Standard Folder

Description

Detects a suspicious winrar execution in a folder which is not the default installation folder

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_path:
  Image|contains:
  - :\Program Files (x86)\WinRAR\
  - :\Program Files\WinRAR\
filter_main_unrar:
  Image|endswith: \UnRAR.exe
filter_optional_temp:
  Image|contains: :\Windows\Temp\
selection:
- Image|endswith:
  - \rar.exe
  - \winrar.exe
- Description: Command line RAR