Potentially Suspicious Cabinet File Expansion

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Cabinet File Expansion
 2id: 9f107a84-532c-41af-b005-8d12a607639f
 3status: test
 4description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
 5references:
 6    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
 7    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
 8author: Bhabesh Raj, X__Junior (Nextron Systems)
 9date: 2021-07-30
10modified: 2024-03-05
11tags:
12    - attack.defense-evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_cmd:
19        Image|endswith: '\expand.exe'
20        CommandLine|contains|windash: '-F:'
21    selection_folders_1:
22        CommandLine|contains:
23            - ':\Perflogs\'
24            - ':\Users\Public\'
25            - '\Temporary Internet'
26            - ':\ProgramData'
27            - '\AppData\Local\Temp'
28            - '\AppData\Roaming\Temp'
29            - ':\Windows\Temp'
30    selection_folders_2:
31        - CommandLine|contains|all:
32              - ':\Users\'
33              - '\Favorites\'
34        - CommandLine|contains|all:
35              - ':\Users\'
36              - '\Favourites\'
37        - CommandLine|contains|all:
38              - ':\Users\'
39              - '\Contacts\'
40    filter_optional_dell:
41        # Launched by Dell ServiceShell.exe
42        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
43        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
44    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
45falsepositives:
46    - System administrator Usage
47level: medium

References

Related rules

to-top