Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Sigma rule (View on GitHub)
1title: Potentially Suspicious Cabinet File Expansion
2id: 9f107a84-532c-41af-b005-8d12a607639f
3status: test
4description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
5references:
6 - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
7 - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
8author: Bhabesh Raj, X__Junior (Nextron Systems)
9date: 2021/07/30
10modified: 2023/11/02
11tags:
12 - attack.execution
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmd:
19 Image|endswith: '\expand.exe'
20 CommandLine|contains:
21 - '/F:'
22 - '-F:'
23 selection_folders_1:
24 CommandLine|contains:
25 - ':\Perflogs\'
26 - ':\Users\Public\'
27 - '\Temporary Internet'
28 - ':\ProgramData'
29 - '\AppData\Local\Temp'
30 - '\AppData\Roaming\Temp'
31 - ':\Windows\Temp'
32 selection_folders_2:
33 - CommandLine|contains|all:
34 - ':\Users\'
35 - '\Favorites\'
36 - CommandLine|contains|all:
37 - ':\Users\'
38 - '\Favourites\'
39 - CommandLine|contains|all:
40 - ':\Users\'
41 - '\Contacts\'
42 filter_optional_dell:
43 # Launched by Dell ServiceShell.exe
44 ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
45 CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
46 condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
47falsepositives:
48 - System administrator Usage
49level: medium
References
Related rules
- Lolbin Defaultpack.exe Use As Proxy
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- Potential Suspicious Mofcomp Execution
- Potentially Suspicious Child Process Of VsCode
- Potential Compromised 3CXDesktopApp Execution