From 33b9574d042b7ce5e2afa8f7fef6205a43f10415 Mon Sep 17 00:00:00 2001 From: Avesta <58849566+Avesta-FA@users.noreply.github.com> Date: Sun, 31 Mar 2024 15:00:57 +0200 Subject: [PATCH] Update Tar.yml (#310) Co-authored-by: Wietze --- yml/OSBinaries/Tar.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/yml/OSBinaries/Tar.yml b/yml/OSBinaries/Tar.yml index 11a84fc..6099bfa 100644 --- a/yml/OSBinaries/Tar.yml +++ b/yml/OSBinaries/Tar.yml @@ -4,6 +4,20 @@ Description: Used by Windows to extract and create archives. Author: 'Brian Lucero' Created: 2023-01-30 Commands: + - Command: tar -cf compressedfilename:ads C:\folder\file + Description: Compress one or more files to an alternate data stream (ADS). + Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows 10, Windows 11 + - Command: tar -xf compressedfilename:ads + Description: Decompress a compressed file from an alternate data stream (ADS). + Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows 10, Windows 11 - Command: tar -xf \\host1\archive.tar Description: Extracts archive.tar from the remote (internal) host (host1) to the current host. Usecase: Copy files @@ -13,10 +27,14 @@ Commands: OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\tar.exe + - Path: C:\Windows\SysWOW64\tar.exe Detection: - IOC: tar.exe extracting files from a remote host within the environment + - IOC: Abnormal processes spawning tar.exe + - IOC: tar.exe interacting with alternate data streams (ADS) Resources: - Link: https://twitter.com/Cyber_Sorcery/status/1619819249886969856 Acknowledgement: - Person: Brian Lucero Handle: '@Cyber_Sorcery' + - Person: Avester Fahimipour