From c3f269063363af3b8361669efd22507a431b3cc9 Mon Sep 17 00:00:00 2001
From: CyberSorcery <77494812+cybersorcery@users.noreply.github.com>
Date: Sat, 17 Jun 2023 16:25:34 -0500
Subject: [PATCH] Tar.exe lateral movement (#277)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Tar.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 yml/OSBinaries/Tar.yml

diff --git a/yml/OSBinaries/Tar.yml b/yml/OSBinaries/Tar.yml
new file mode 100644
index 0000000..11a84fc
--- /dev/null
+++ b/yml/OSBinaries/Tar.yml
@@ -0,0 +1,22 @@
+---
+Name: Tar.exe
+Description: Used by Windows to extract and create archives.
+Author: 'Brian Lucero'
+Created: 2023-01-30
+Commands:
+  - Command: tar -xf \\host1\archive.tar
+    Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
+    Usecase: Copy files
+    Category: Copy
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\tar.exe
+Detection:
+  - IOC: tar.exe extracting files from a remote host within the environment
+Resources:
+  - Link: https://twitter.com/Cyber_Sorcery/status/1619819249886969856
+Acknowledgement:
+  - Person: Brian Lucero
+    Handle: '@Cyber_Sorcery'