heroui logo

Compressed File Creation Via Tar.EXE

Sigma Rules

View Source
Summary
The detection rule "Compressed File Creation Via Tar.EXE" is designed to identify and alert on the execution of the utility "tar.exe" for the purpose of compressing files on Windows systems. This detection is critical as adversaries may exploit compression tools like tar to obfuscate or encrypt data prior to exfiltration, which aligns with common tactics observed in various threat actors. The rule focuses on specific command line arguments associated with the file creation process and looks for executable instances of tar.exe or its variant, bsdtar. The detection logic combines criteria based on the file path of the image and checks for specific command-line switches (e.g., -c, -r, -u) that indicate the creation or updating of compressed files. This proactive identification mechanism can assist in mitigating the risk posed by malicious data handling operations.
Categories
  • Windows
  • Cloud
  • Endpoint
Data Sources
  • Process
  • File
Created: 2023-12-19