| ID | Technique | Tactic |
|---|---|---|
| T1027.013 | Encrypted/Encoded File | Defense Evasion |
Detection: Windows Obfuscated Files or Information via RAR SFX
Description
The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.
Search
1`sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*")
2| stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer
3| rename Computer as dest
4| rename TargetFilename as file_name
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `windows_obfuscated_files_or_information_via_rar_sfx_filter`
Data Source
No data sources specified for this detection.
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_obfuscated_files_or_information_via_rar_sfx_filter | search * |
windows_obfuscated_files_or_information_via_rar_sfx_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 10
APT18
APT19
APT28
APT32
APT33
APT39
BITTER
Blue Mockingbird
Dark Caracal
Darkhotel
Elderwood
Fox Kitten
Group5
Higaisa
Inception
Lazarus Group
Leviathan
Magic Hound
Malteiro
Metador
Mofang
Molerats
Moonstone Sleet
Moses Staff
OilRig
Putter Panda
Saint Bear
Sidewinder
TA2541
TA505
TeamTNT
Threat Group-3390
Transparent Tribe
Tropic Trooper
Whitefly
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where rar sfx executable may be used.
Known False Positives
It can detect a third part utility software tool compiled to rar sfx.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A process commandline- [$Image$] that drops [$file_name$] on [$dest$].
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 49 | file_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1