Windows Obfuscated Files or Information via RAR SFX

name: Windows Obfuscated Files or Information via RAR SFX
id: 4ab6862b-ce88-4223-96c0-f6da2cffb898
version: 9
creation_date: '2021-08-03'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.
data_source:
    - Sysmon EventID 11
search: |-
    `sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*")
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY action dest file_name
           file_path process_guid process_id
           user user_id vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_obfuscated_files_or_information_via_rar_sfx_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where rar sfx executable may be used.
known_false_positives: It can detect a third part utility software tool compiled to rar sfx.
references:
    - https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A process drops [$file_name$] on [$dest$].
threat_objects:
    - field: file_name
      type: file_name
analytic_story:
    - Crypto Stealer
    - APT37 Rustonotto and FadeStealer
    - GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
    - T1027.013
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit