Techniques
Sample rules
Winrar Compressing Dump Files
- source: sigma
- technicques:
- t1560
- t1560.001
Description
Detects execution of WinRAR in order to compress a file with a “.dmp”/".dump" extension, which could be a step in a process of dump file exfiltration.
Detection logic
condition: all of selection_*
selection_extension:
CommandLine|contains:
- .dmp
- .dump
- .hdmp
selection_img:
- Image|endswith:
- \rar.exe
- \winrar.exe
- Description: Command line RAR