Potentially Suspicious Cabinet File Expansion

 1title: Potentially Suspicious Cabinet File Expansion
 2id: 9f107a84-532c-41af-b005-8d12a607639f
 3status: test
 4description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
 5references:
 6    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
 7    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
 8author: Bhabesh Raj, X__Junior (Nextron Systems)
 9date: 2021-07-30
10modified: 2024-11-13
11tags:
12    - attack.defense-evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_cmd:
19        Image|endswith: '\expand.exe'
20        CommandLine|contains|windash: '-F:'
21    selection_folders_1:
22        CommandLine|contains:
23            - ':\Perflogs\'
24            - ':\ProgramData'
25            - ':\Users\Public\'
26            - ':\Windows\Temp\'
27            - '\Admin$\'
28            - '\AppData\Local\Temp\'
29            - '\AppData\Roaming\'
30            - '\C$\'
31            - '\Temporary Internet'
32    selection_folders_2:
33        - CommandLine|contains|all:
34              - ':\Users\'
35              - '\Favorites\'
36        - CommandLine|contains|all:
37              - ':\Users\'
38              - '\Favourites\'
39        - CommandLine|contains|all:
40              - ':\Users\'
41              - '\Contacts\'
42    filter_optional_dell:
43        # Launched by Dell ServiceShell.exe
44        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
45        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
46    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
47falsepositives:
48    - System administrator Usage
49level: medium