Name:Windows Obfuscated Files or Information via RAR SFX id:4ab6862b-ce88-4223-96c0-f6da2cffb898 version:2 date:2025-02-17 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery. Data_source:
-Sysmon EventID 11
search:`sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_obfuscated_files_or_information_via_rar_sfx_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where rar sfx executable may be used. known_false_positives:It can detect a third part utility software tool compiled to rar sfx. References: -https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Crypto Stealer' asset_type:Endpoint mitre_attack_id: - 'T1027.013' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
