Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Sigma rule (View on GitHub)
1title: Potentially Suspicious Cabinet File Expansion
2id: 9f107a84-532c-41af-b005-8d12a607639f
3status: test
4description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
5references:
6 - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
7 - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
8author: Bhabesh Raj, X__Junior (Nextron Systems)
9date: 2021/07/30
10modified: 2024/03/05
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmd:
19 Image|endswith: '\expand.exe'
20 CommandLine|contains|windash: '-F:'
21 selection_folders_1:
22 CommandLine|contains:
23 - ':\Perflogs\'
24 - ':\Users\Public\'
25 - '\Temporary Internet'
26 - ':\ProgramData'
27 - '\AppData\Local\Temp'
28 - '\AppData\Roaming\Temp'
29 - ':\Windows\Temp'
30 selection_folders_2:
31 - CommandLine|contains|all:
32 - ':\Users\'
33 - '\Favorites\'
34 - CommandLine|contains|all:
35 - ':\Users\'
36 - '\Favourites\'
37 - CommandLine|contains|all:
38 - ':\Users\'
39 - '\Contacts\'
40 filter_optional_dell:
41 # Launched by Dell ServiceShell.exe
42 ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
43 CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
44 condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
45falsepositives:
46 - System administrator Usage
47level: medium
References
Related rules
- Curl Download And Execute Combination
- DLL Loaded via CertOC.EXE
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- Diskshadow Script Mode - Uncommon Script Extension Execution
- Insensitive Subfolder Search Via Findstr.EXE