Roshal Archive (RAR) or PowerShell File Downloaded from the Internet

Elastic Stack Serverless Security

Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.

Rule type: query

Rule indices:

auditbeat-*
filebeat-*
packetbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Network
Threat Detection
Command and Control
Host

Version: 7

Rule authors:

Elastic

Rule license: Elastic License v2

		event.category:(network or network_traffic) and network.protocol:http and
  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and
    not destination.ip:(
0.0.0/8 or
0.0.0/8 or
254.0.0/16 or
16.0.0/12 or
0.0.0/24 or
0.0.0/29 or
0.0.8/32 or
0.0.9/32 or
0.0.10/32 or
0.0.170/32 or
0.0.171/32 or
0.2.0/24 or
31.196.0/24 or
52.193.0/24 or
168.0.0/16 or
88.99.0/24 or
0.0.0/4 or
64.0.0/10 or
175.48.0/24 or
18.0.0/15 or
51.100.0/24 or
0.113.0/24 or
0.0.0/4 or
      "::1" or
      "FE80::/10" or
      "FF00::/8"
    ) and
    source.ip:(
0.0.0/8 or
16.0.0/12 or
168.0.0/16
    )

	

Framework: MITRE ATT&CKTM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/

Roshal Archive (RAR) or PowerShell File Downloaded from the Internet

Investigation guide

Threat intel

Rule query