Command-Line Creation of a RAR file¶

Detect compression of data into a RAR file using the rar.exe utility.

id:	1ec33c93-3d0b-4a28-8014-dbdaae5c60ae
categories:	detect
confidence:	medium
os:	windows
created:	11/30/2018
updated:	11/30/2018

MITRE ATT&CK™ Mapping¶

tactics:	Exfiltration
techniques:	T1002 Data Compressed

Query¶

process where subtype.create and process_name == "rar.exe" and
  command_line == "* a *"

Detonation¶

Atomic Red Team: T1002

Contributors¶

Endgame

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.