title: Winrar Execution in Non-Standard Folder
author: Florian Roth, Tigzy
date: 2021/11/17
description: Detects a suspicious winrar execution in a folder which is not the default
  installation folder
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image:
    - '*\rar.exe'
    - '*\winrar.exe'
  SELECTION_3:
    Description: Command line RAR
  SELECTION_4:
    Image: '*\WinRAR*'
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4))
falsepositives:
- Legitimate use of WinRAR in a folder of a software that bundles WinRAR
id: 4ede543c-e098-43d9-a28f-dd784a13132f
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://twitter.com/cyb3rops/status/1460978167628406785
status: experimental
tags:
- attack.collection
- attack.t1560.001
- attack.exfiltration
- attack.t1002
ruletype: SIGMA