sigmaDRL-1.1from SigmaHQ/sigma
Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Quality
74
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
Image|endswith: '\expand.exe'
CommandLine|contains|windash: '-F:'
selection_folders_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\ProgramData'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Admin$\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\C$\'
- '\Temporary Internet'
selection_folders_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
filter_optional_dell:
# Launched by Dell ServiceShell.exe
ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
- System administrator Usage
level: medium