-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-07-005.yaml
54 lines (53 loc) · 2.21 KB
/
CAR-2013-07-005.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
title: Command Line Usage of Archiving Software
submission_date: 2013/07/31
information_domain: Host
platforms:
- Windows
- Linux
- macOS
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2013-07-005
description: |-
Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adversary has [collected](https://attack.mitre.org/tactics/TA0009), it is very likely that a [compressed archive](https://attack.mitre.org/techniques/T1560) will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.
In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names.
coverage:
- technique: T1560
tactics:
- TA0010
subtechniques:
- T1560.001
coverage: Moderate
implementations:
- description: 'This analytic looks for the command line argument `a`, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.'
code: |-
processes = search Process:Create
rar_argument = filter processes where (command_line == "* a *")
output rar_argument
type: pseudocode
- description: DNIF version of the above pseudocode.
code: |-
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100
type: DNIF
data_model: Sysmon native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 command="* a *"
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/command_line
unit_tests:
- configurations:
- Windows 7
description: 'Download 7zip or other archiving software you plan to monitor. Create an innocuous text file for testing, or substitute an existing file.'
commands:
- 7z.exe a test.zip test.txt
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis