LoFP / user and network administrator can execute this command.

Techniques

• T1070
• T1560
• T1560.001

Sample rules

Windows Archive Collected Data via Rar

• source: splunk
• technicques:
  • T1560.001
  • T1560

Description

The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="Rar.exe" OR Processes.original_file_name = "Rar.exe" AND Processes.process = "*a*" Processes.process = "* -ep1*" Processes.process = "* -r*" Processes.process = "* -y*" Processes.process = "* -v5m*" Processes.process = "* -m1*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_archive_collected_data_via_rar_filter`

Windows Indicator Removal Via Rmdir

• source: splunk
• technicques:
  • T1070

Description

The following analytic identifies a process execute rmdir commandline to delete files and directory tree. This technique has been observed in the actions of various malware strains, such as DarkGate, as they attempt to eliminate specific files or components during their cleanup operations within compromised hosts. Notably, this deletion method doesn’t exclusively require elevated privileges and can be executed by regular users or network administrators, although it’s not the typical approach used for file deletion.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_indicator_removal_via_rmdir_filter`