Update Tar.yml (#310)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
Avesta 2024-03-31 15:00:57 +02:00 committed by GitHub
parent 65e05aa4d6
commit 33b9574d04
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -4,6 +4,20 @@ Description: Used by Windows to extract and create archives.
Author: 'Brian Lucero'
Created: 2023-01-30
Commands:
- Command: tar -cf compressedfilename:ads C:\folder\file
Description: Compress one or more files to an alternate data stream (ADS).
Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows 10, Windows 11
- Command: tar -xf compressedfilename:ads
Description: Decompress a compressed file from an alternate data stream (ADS).
Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows 10, Windows 11
- Command: tar -xf \\host1\archive.tar
Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
Usecase: Copy files
@ -13,10 +27,14 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\tar.exe
- Path: C:\Windows\SysWOW64\tar.exe
Detection:
- IOC: tar.exe extracting files from a remote host within the environment
- IOC: Abnormal processes spawning tar.exe
- IOC: tar.exe interacting with alternate data streams (ADS)
Resources:
- Link: https://twitter.com/Cyber_Sorcery/status/1619819249886969856
Acknowledgement:
- Person: Brian Lucero
Handle: '@Cyber_Sorcery'
- Person: Avester Fahimipour