Update Tar.yml (#310)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
2025-11-04 02:29:34 +01:00 · 2024-03-31 15:00:57 +02:00
parent 65e05aa4d6
commit 33b9574d04
1 changed files with 18 additions and 0 deletions
--- a/yml/OSBinaries/Tar.yml
+++ b/yml/OSBinaries/Tar.yml
@@ -4,6 +4,20 @@ Description: Used by Windows to extract and create archives.
 Author: 'Brian Lucero'
 Created: 2023-01-30
 Commands:
+  - Command: tar -cf compressedfilename:ads C:\folder\file
+    Description: Compress one or more files to an alternate data stream (ADS).
+    Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
+    Category: ADS
+    Privileges: User
+    MitreID: T1564.004
+    OperatingSystem: Windows 10, Windows 11
+  - Command: tar -xf compressedfilename:ads
+    Description: Decompress a compressed file from an alternate data stream (ADS).
+    Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
+    Category: ADS
+    Privileges: User
+    MitreID: T1564.004
+    OperatingSystem: Windows 10, Windows 11
  - Command: tar -xf \\host1\archive.tar
    Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
    Usecase: Copy files
@@ -13,10 +27,14 @@ Commands:
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\tar.exe
+  - Path: C:\Windows\SysWOW64\tar.exe
 Detection:
  - IOC: tar.exe extracting files from a remote host within the environment
+  - IOC: Abnormal processes spawning tar.exe
+  - IOC: tar.exe interacting with alternate data streams (ADS)
 Resources:
  - Link: https://twitter.com/Cyber_Sorcery/status/1619819249886969856
 Acknowledgement:
  - Person: Brian Lucero
    Handle: '@Cyber_Sorcery'
+  - Person: Avester Fahimipour