Rules Update

rules_windows_generic_full.json

@@ -37654,6 +37654,27 @@
         ],
         "filename": "proc_creation_win_sdbinst_shim_persistence.yml"
     },
+    {
+        "title": "Compressed File Creation Via Tar.EXE",
+        "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\'))"
+        ],
+        "filename": "proc_creation_win_tar_compression.yml"
+    },
     {
         "title": "Renamed Plink Execution",
         "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43",
@@ -38769,6 +38790,27 @@
         ],
         "filename": "proc_creation_win_dsacls_abuse_permissions.yml"
     },
+    {
+        "title": "Compressed File Extraction Via Tar.EXE",
+        "id": "bf361876-6620-407a-812f-bfe11e51e924",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
+        "author": "AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_win_tar_extraction.yml"
+    },
     {
         "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)",
         "id": "a58353df-af43-4753-bad0-cd83ef35eef5",

rules_windows_generic_pysigma.json

@@ -30497,6 +30497,27 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Compressed File Creation Via Tar.EXE",
+        "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Files And Subdirectories Listing Using Dir",
         "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006",
@@ -30516,6 +30537,27 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Compressed File Extraction Via Tar.EXE",
+        "id": "bf361876-6620-407a-812f-bfe11e51e924",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
+        "author": "AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Suspicious Network Command",
         "id": "a29c1813-ab1f-4dde-b489-330b952e91ae",

rules_windows_sysmon_full.json

@@ -37654,6 +37654,27 @@
         ],
         "filename": "proc_creation_win_sdbinst_shim_persistence.yml"
     },
+    {
+        "title": "Compressed File Creation Via Tar.EXE",
+        "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\'))"
+        ],
+        "filename": "proc_creation_win_tar_compression.yml"
+    },
     {
         "title": "Renamed Plink Execution",
         "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43",
@@ -38769,6 +38790,27 @@
         ],
         "filename": "proc_creation_win_dsacls_abuse_permissions.yml"
     },
+    {
+        "title": "Compressed File Extraction Via Tar.EXE",
+        "id": "bf361876-6620-407a-812f-bfe11e51e924",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
+        "author": "AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_win_tar_extraction.yml"
+    },
     {
         "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)",
         "id": "a58353df-af43-4753-bad0-cd83ef35eef5",

rules_windows_sysmon_pysigma.json

@@ -30497,6 +30497,27 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Compressed File Creation Via Tar.EXE",
+        "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Files And Subdirectories Listing Using Dir",
         "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006",
@@ -30516,6 +30537,27 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Compressed File Extraction Via Tar.EXE",
+        "id": "bf361876-6620-407a-812f-bfe11e51e924",
+        "status": "experimental",
+        "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
+        "author": "AdmU3",
+        "tags": [
+            "attack.collection",
+            "attack.exfiltration",
+            "attack.t1560",
+            "attack.t1560.001"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Suspicious Network Command",
         "id": "a29c1813-ab1f-4dde-b489-330b952e91ae",