Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Sigma rule (View on GitHub)
1title: Potentially Suspicious Cabinet File Expansion
2id: 9f107a84-532c-41af-b005-8d12a607639f
3status: test
4description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
5references:
6 - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
7 - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
8author: Bhabesh Raj, X__Junior (Nextron Systems)
9date: 2021-07-30
10modified: 2024-03-05
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmd:
19 Image|endswith: '\expand.exe'
20 CommandLine|contains|windash: '-F:'
21 selection_folders_1:
22 CommandLine|contains:
23 - ':\Perflogs\'
24 - ':\Users\Public\'
25 - '\Temporary Internet'
26 - ':\ProgramData'
27 - '\AppData\Local\Temp'
28 - '\AppData\Roaming\Temp'
29 - ':\Windows\Temp'
30 selection_folders_2:
31 - CommandLine|contains|all:
32 - ':\Users\'
33 - '\Favorites\'
34 - CommandLine|contains|all:
35 - ':\Users\'
36 - '\Favourites\'
37 - CommandLine|contains|all:
38 - ':\Users\'
39 - '\Contacts\'
40 filter_optional_dell:
41 # Launched by Dell ServiceShell.exe
42 ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
43 CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
44 condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
45falsepositives:
46 - System administrator Usage
47level: medium
References
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE