1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", 6 "from": "now-9m", 7 "index": [ 8 "logs-endpoint.events.*", 9 "winlogbeat-*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Encrypting Files with WinRar or 7z", 15 "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n", 16 "references": [ 17 "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" 18 ], 19 "risk_score": 47, 20 "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", 21 "severity": "medium", 22 "tags": [ 23 "Elastic", 24 "Host", 25 "Windows", 26 "Threat Detection", 27 "Collection" 28 ], 29 "threat": [ 30 { 31 "framework": "MITRE ATT&CK", 32 "tactic": { 33 "id": "TA0009", 34 "name": "Collection", 35 "reference": "https://attack.mitre.org/tactics/TA0009/" 36 }, 37 "technique": [ 38 { 39 "id": "T1560", 40 "name": "Archive Collected Data", 41 "reference": "https://attack.mitre.org/techniques/T1560/", 42 "subtechnique": [ 43 { 44 "id": "T1560.001", 45 "name": "Archive via Utility", 46 "reference": "https://attack.mitre.org/techniques/T1560/001/" 47 } 48 ] 49 } 50 ] 51 } 52 ], 53 "timestamp_override": "event.ingested", 54 "type": "eql", 55 "version": 4 56} 57