← Back to SOC feed Coverage →

Suspicious Greedy Compression Using Rar.EXE

sigma HIGH SigmaHQ
T1059
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Detection Rule

Sigma (Original)

title: Suspicious Greedy Compression Using Rar.EXE
id: afe52666-401e-4a02-b4ff-5d128990b8cb
status: test
description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
references:
    - https://decoded.avast.io/martinchlumecky/png-steganography
author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-12-15
modified: 2024-01-02
tags:
    - attack.execution
    - attack.t1059
logsource:
    product: windows
    category: process_creation
detection:
    # Example : rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\*.doc c:\\*.docx c:\\*.xls c:\\*.xlsx c:\\*.pdf c:\\*.ppt c:\\*.pptx c:\\*.jpg c:\\*.txt >nul
    selection_opt_1:
        - Image|endswith: '\rar.exe'
        - Description: 'Command line RAR'
    selection_opt_2:
        CommandLine|contains:
            - '.exe a '
            - ' a -m'
    selection_cli_flags:
        CommandLine|contains|all:
            - ' -hp' # password
            - ' -r ' # recursive
    selection_cli_folders:
        CommandLine|contains:
            - ' ?:\\\*.'
            - ' ?:\\\\\*.'
            - ' ?:\$Recycle.bin\'
            - ' ?:\PerfLogs\'
            - ' ?:\Temp'
            - ' ?:\Users\Public\'
            - ' ?:\Windows\'
            - ' %public%'
    condition: 1 of selection_opt_* and all of selection_cli_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessName endswith "\\rar.exe" or TargetProcessFileDescription =~ "Command line RAR") or (TargetProcessCommandLine contains ".exe a " or TargetProcessCommandLine contains " a -m")) and ((TargetProcessCommandLine contains " -hp" and TargetProcessCommandLine contains " -r ") and ((TargetProcessCommandLine contains " " and TargetProcessCommandLine contains ":*.") or (TargetProcessCommandLine contains " " and TargetProcessCommandLine contains ":\*.") or (TargetProcessCommandLine contains " " and TargetProcessCommandLine contains ":\\$Recycle.bin\\") or (TargetProcessCommandLine contains " " and TargetProcessCommandLine contains ":\\PerfLogs\\") or (TargetProcessCommandLine contains " " and TargetProcessCommandLine contains ":\\Temp") or (TargetProcessCommandLine contains " " and TargetProcessCommandLine contains ":\\Users\\Public\\") or (TargetProcessCommandLine contains " " and TargetProcessCommandLine contains ":\\Windows\\") or TargetProcessCommandLine contains " %public%"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml