Compressed File Creation Via Tar.EXE

Rule Info

Name
Compressed File Creation Via Tar.EXE
Author
Nasreddine Bencherchali (Nextron Systems), AdmU3
Description
Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Reference
https://unit42.paloaltonetworks.com/chromeloader-malware/
Date
2023-12-19 00:00:00
Modified
None
Id
418a3163-3247-4b7b-9933-dcfcb7c52ea9
Tags
attack.collection attack.exfiltration attack.t1560 attack.t1560.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=418a3163-3247-4b7b-9933-dcfcb7c52ea9

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5065 from @nasbench - Promote older rules status from `experimental` to `test`
2024-11-01
f53335056
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
AdmU3
Merge PR #4626 from @AdmU3 - Add New Rules Related To `tar.exe` Usage
2023-12-20
6bab8fe4d
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022