ssa___anomalous_usage_of_archive_tools.yml

name: Anomalous usage of Archive Tools
id: 63614a58-10e2-4c6c-ae81-ea1113681439
version: 4
date: '2021-11-22'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following detection identifies the usage of archive tools from the
  command line.
data_source:
- Windows Security 4688
search:
  selection1:
    process.file.name: WinRAR.exe
  selection2:
    process.file.name|startswith: 7z
  selection3:
    process.file.name|startswith: winzip
  selection4:
    actor.process.file.name|endswith:
    - powershell.exe
    - cmd.exe
  condition: (selection1 or selection2 or selection3) and selection4
how_to_implement: To successfully implement this search you need to be ingesting information
  on process that include the name of the process responsible for the changes from
  your endpoints into the `Endpoint` datamodel in the `Processes` node.
known_false_positives: False positives can be ligitmate usage of archive tools from
  the command line.
references:
- https://attack.mitre.org/techniques/T1560/001/
tags:
  analytic_story:
  - Cobalt Strike
  - NOBELIUM Group
  - Insider Threat
  asset_type: Endpoint
  confidence: 60
  impact: 70
  message: An instance of $parent_process_name$ spawning $process_name$ was identified
    on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading
    of 7zip.
  mitre_attack_id:
  - T1560.001
  - T1560
  observable: []
  product:
  - Splunk Behavioral Analytics
  required_fields: []
  kill_chain_phases:
  - Exploitation
  risk_score: 42
  security_domain: endpoint
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_tools/windows-security.log
    source: WinEventLog:Security