Creation of a Diagcab

calendar Aug 12, 2024 · attack.resource-development  ·
Share on: linkedin copy

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

Sigma rule (View on GitHub)

 1title: Creation of a Diagcab
 2id: 3d0ed417-3d94-4963-a562-4a92c940656a
 3status: test
 4description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
 5references:
 6    - https://threadreaderapp.com/thread/1533879688141086720.html
 7author: frack113
 8date: 2022-06-08
 9tags:
10    - attack.resource-development
11logsource:
12    product: windows
13    category: file_event
14detection:
15    selection:
16        TargetFilename|endswith: '.diagcab'
17    condition: selection
18falsepositives:
19    - Legitimate microsoft diagcab
20level: medium

References

  • Thread by @j00sean on Thread Reader App

    @j00sean: microsoft-edge + ms-search + MSDT path traversal 0day = fun of 2-clicks (one click additional due to Protected View if docx is coming from remote btw). Sorry, your browser doesn't support embedded videos Th...…


    Read More

Related rules

to-top