Suspicious Use of RAR for File Archiving

Rule Info

Name
Suspicious Use of RAR for File Archiving
Author
MalGamy (Nextron Systems)
Description
Detects the use of `rar.exe` to create archives, which may indicate file compression for exfiltration or malicious purposes.
Reference
https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html
Date
2024-11-10 00:00:00
Modified
None
Id
4be92f18-2cfc-412d-91d8-5f8fa1691f87
Tags
attack.exfiltration attack.t1071
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022