Detection rules › Sigma
Compressed File Extraction Via Tar.EXE
Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1560 Archive Collected Data, T1560.001 Archive Collected Data: Archive via Utility |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\tar.exe'
OriginalFileName: bsdtar
Stage 2: all of selection_extract
CommandLine|contains: -x
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|