Rar.exe Command Line Password
Sabina Kehler
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. This rule is adapted from _creation/proc_creation_win_rar_compression_with_password.yml
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip, WinRAR, and WinZip. Most utilities include functionality to encrypt and/or compress data.
Set password to encrypt files when archiving or to decrypt when extracting.Passwords are case-sensitive. Maximum password length is 127 characters.Longer passwords are truncated to this length. If you omit a passwordin command line, you will be prompted to enter it.
This article was written by Luigi Oppido and by wikiHow staff writer, Nicole Levine, MFA. Luigi Oppido is the Owner and Operator of Pleasure Point Computers in Santa Cruz, California. Luigi has over 25 years of experience in general computer repair, data recovery, virus removal, and upgrades. He is also the host of the Computer Man Show! broadcasted on KSQD covering central California for over two years.
The wikiHow Tech Team also followed the article's instructions and verified that they work.
This article has been viewed 125,629 times.
Download cRARk at Right-click the RAR file and select "Extract here." Rename the file in your language to "password.def." Open the file in Notepad. Delete the "#" from an option, then save your changes. Open the cRARk folder's command prompt. Type "crark yourarchivename.rar" and press "Enter."
There is an option called -P that will allow you to pass the password in the command itself, but that is not good because there is always the threat of over-the-shoulder peeking. Also other users can see the password by using ps -ef command if you use -P switch. With that -P switch, the command will look like this:
If this is done from PHP using exec(), than the special characters are converted to non UTF-8 (aka changing the password) meaning you have to first write the command to a batch file, and changing the char type to UTF-8.
I've written a wee batch script to backup some stuff on my desktop and dump itover the network to a share... The only thing that's bugging me is the verbosity of rar.exe while it's doing the compress part of the job.
Alternatively, if theres any other command line compression tools for windows(winzip/7zip) that people are familiar with, I'd be happy to use those either.Or any suggestions to make this batch job a little more robust.
Hi, Does anyone have a sample rule example for detecting WMIC Suspicious Scheduled Tasks and WMIC File Download? I am looking for both Scheduled Task and File Download. My search of Github did not fectch me any results unfortunately.
Good morning - there are samples out there using WMIC.exe on the community site. However, they are just calling a different process.
you could modify this to include schtasks.exe - I included the rest of the events section of the rule below this piece. I have some other options I could share later. In this example you just need to determine what you deem suspicious and find where schtasks.exe resides.
In the rule above, we have a number of different actions that an adversary might take and of course there are a number of permutations, so the following like is a good example of what that command line could look like and pick up the whoami without just looking for all whoami traffic.
Here is what a scheduled task event being called through wmic might look like. Schtasks in general can be very problematic since there are plenty of good reasons to see scheduled tasks run or be created or modified unless you have a firm grip on them within the org.
Regarding downloads, I'm thinking more along the lines of either wmic being used to call a scripts that has a download function in it or doing something like the above and calling wget, curl or some other app to initiate a download or a file. Again since there are a number of ways to do that, I'm not sure where you want to start but hopefully that gets you going in the right direction.
If the switch -ilog is specified in the command line or configuration
file, RAR will write informational messages, concerning errors
encountered while processing archives, into a log file. Read switch
-ilog description for more details.
Command line options (commands and switches) provide control of
creating and managing archives with RAR. The command is a string (or a
single letter) which commands RAR to perform a corresponding action.
Switches are designed to modify the way RAR performs the action. Other
parameters are archive name and files to be archived into or extracted
from the archive.
Listfiles are plain text files that contain names of files to process.
File names should start at the first column. It is possible to
put comments to the listfile after // characters. For example,
you may create backup.lst containing the following strings:
3) as a special exception, if directory name is specified as
an argument and if directory name does not include file masks
and trailing backslashes, the entire contents of the directory
and all subdirectories will be added to the archive even
if switch -r is not specified.
This command can be used with most of archive modification
switches to modify archive parameters. It is especially
convenient for switches like -av, -cl, -cu, -tl, which do not
have a dedicated command.
If a broken archive does not contain a recovery record or if
the archive is not completely recovered due to major damage, a
second stage is performed. During this stage only the archive
structure is reconstructed and it is impossible to recover
files which fail the CRC validation, it is still possible,
however, to recover undamaged files, which were inaccessible
due to the broken archive structure. Mostly this is useful
for non-solid archives.
RAR does not check if the destination file name is already
present in the archive, so you need to be careful to avoid
duplicated names. It is especially important when using
wildcards. Such a command is potentially dangerous, because
a wrong wildcard may corrupt all archived names.
rv[N] Create recovery volumes (.rev files), which can be later
used to reconstruct missing and damaged files in a volume
set. This command makes sense only for multivolume archives
and you need to specify the name of the first volume
in the set as the archive name. For example:
This feature may be useful for backups or, for example,
when you posted a multivolume archive to a newsgroup
and a part of subscribers did not receive some of the files.
Reposting recovery volumes instead of usual volumes
may reduce the total number of files to repost.
Each recovery volume is able to reconstruct one missing
or damaged RAR volume. For example, if you have 30 volumes
and 3 recovery volumes, you are able to reconstruct any
3 missing volumes. If the number of .rev files is less than
the number of missing volumes, reconstructing is impossible.
The total number of usual and recovery volumes must not
exceed 255.
Original RAR volumes must not be modified after creating
recovery volumes. Recovery algorithm uses data stored both
in REV files and in RAR volumes to rebuild missing RAR volumes.
So if you modify RAR volumes, for example, lock them, after
creating REV files, recovery process will fail.
The optional parameter specifies a number of recovery
volumes to create and must be less than the total number
of RAR volumes in the set. You may also append a percent
character to this parameter, in such case the number of
creating .rev files will be equal to this percent taken
from the total number of RAR volumes. For example:
This option may be useful when unpacking a group of archives.
By default RAR places files from all archives in the same
directory, but this switch creates a separate directory
for files unpacked from each archive.
If you need to update an already existing archive, be careful
with -ag switch. Depending on the format string and time passed
since previous -ag use, generated and existing archive names
may mismatch. In this case RAR will create a new archive
instead of updating the already existing.
If this switch is used when extracting, RAR does not set
general file attributes stored in archive to extracted files.
This switch preserves attributes assigned by operating system
to a newly created file.
If this switch is used when archiving, those archived files
which are not present in the list of the currently added
files, will be deleted from the archive. It is convenient to
use this switch in combination with -u (update) to synchronize
contents of an archive and an archiving directory.
RAR authenticity verification can be forged and does not
provide the same level of security as modern digital signature
schemes based on public key infrastructure. We recommend
to use this RAR feature as informational only, like a special
archive comment. Avoid it in situations, when accurate
information about archive creator is important.