RAR file download from the internet

I tried this rule since a lot of malware is spread using password protected RAR files

Roshal Archive (RAR) or PowerShell File Downloaded from the Internet | Elastic Security Solution [7.17] | Elastic

The Query the rule uses:

event.category:(network or network_traffic) and network.protocol:http and
  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and
    not destination.ip:(
      10.0.0.0/8 or
      127.0.0.0/8 or
      169.254.0.0/16 or
      172.16.0.0/12 or
      192.0.0.0/24 or
      192.0.0.0/29 or
      192.0.0.8/32 or
      192.0.0.9/32 or
      192.0.0.10/32 or
      192.0.0.170/32 or
      192.0.0.171/32 or
      192.0.2.0/24 or
      192.31.196.0/24 or
      192.52.193.0/24 or
      192.168.0.0/16 or
      192.88.99.0/24 or
      224.0.0.0/4 or
      100.64.0.0/10 or
      192.175.48.0/24 or
      198.18.0.0/15 or
      198.51.100.0/24 or
      203.0.113.0/24 or
      240.0.0.0/4 or
      "::1" or
      "FE80::/10" or
      "FF00::/8"
    ) and
    source.ip:(
      10.0.0.0/8 or
      172.16.0.0/12 or
      192.168.0.0/16
    )

I wrote 2 scripts 1 in Python and 1 in PowerShell both cases give no alert

import requests

url = 'https://getsamplefiles.com/download/rar/sample-1.rar'
filename = 'file.rar'

response = requests.get(url)

with open(filename, 'wb') as f:
    f.write(response.content)

print('Download complete!')

$url = 'https://getsamplefiles.com/download/rar/sample-1.rar'
$outputFile = 'file.rar'

Invoke-WebRequest -Uri $url -OutFile $outputFile

Write-Host 'Download complete!'

I also tried downloading a rar file with a browser (Opera GX) but this isn't logged aswell

url.extension is not an available field, the rule filters on this to see if the url is a RAR file

image799×437 37.5 KB

I use the system, windows and defense integrations

Any ideas why the network traffic from the scripts or browser isn't logged?

Hi @Maretti. Thanks for reaching out.

In order to execute, those files must be extracted from the archive, written to disk, then opened by their respective applications. Endpoint scans supported file types when they are written and/or opened. Endpoint doesn't attempt to scan compressed archives because the performance overhead can be significant, and efficacy is limited because trivial bypasses via password encryption are ubiquitous these days.

Endpoint doesn't intercept/MITM TLS connections (HTTPS) either. It provides IP-level reporting for such connections. For HTTPS connections, the URL is transmitted inside the encrypted stream. The encryption is performed inside the user-mode application, and its contents are not visible to our kernel driver. That rule mentions HTTP - have you tried the same download without TLS?

Regards,
Gabriel

Hi @gabriel.landau

Thanks for the response I tried without TLS and it still isn't present in the logs

Regards,
Maretti

Thanks for the update. I just spoke with the engineer who wrote it and got clarification on the Defend/Endpoint side - I misunderstood it.

PacketBeat will get you the data you want. Add the "Network Packet Capture" integration to Agent.

image852×590 40.8 KB

Example:

image1166×511 36.1 KB

Sample data:

{
    "method": "GET",
    "query": "GET /download/rar/sample-1.rar",
    "destination": {
      "port": 80,
      "bytes": 414,
      "ip": "68.183.46.179",
      "domain": "getsamplefiles.com"
    },
    "source": {
      "port": 50871,
      "bytes": 188,
      "ip": "192.168.1.23"
    },
    "type": "http",
    "url": {
      "path": "/download/rar/sample-1.rar",
      "extension": "rar",
      "scheme": "http",
      "domain": "getsamplefiles.com",
      "full": "http://getsamplefiles.com/download/rar/sample-1.rar"
    },
    "network": {
      "community_id": "1:FT5uqa2sUJPH1NjlQpGMezJPlDM=",
      "protocol": "http",
      "bytes": 602,
      "transport": "tcp",
      "type": "ipv4",
      "direction": "egress"
    }
}

Regards,
Gabriel

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.