35 lines
869 B
YAML
35 lines
869 B
YAML
|
|
title: Winrar Execution in Non-Standard Folder
|
|
author: Florian Roth, Tigzy
|
|
date: 2021/11/17
|
|
description: Detects a suspicious winrar execution in a folder which is not the default
|
|
installation folder
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image:
|
|
- '*\rar.exe'
|
|
- '*\winrar.exe'
|
|
SELECTION_3:
|
|
Description: Command line RAR
|
|
SELECTION_4:
|
|
Image: '*\WinRAR*'
|
|
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4))
|
|
falsepositives:
|
|
- Legitimate use of WinRAR in a folder of a software that bundles WinRAR
|
|
id: 4ede543c-e098-43d9-a28f-dd784a13132f
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- https://twitter.com/cyb3rops/status/1460978167628406785
|
|
status: experimental
|
|
tags:
|
|
- attack.collection
|
|
- attack.t1560.001
|
|
- attack.exfiltration
|
|
- attack.t1002
|
|
ruletype: SIGMA
|