Potentially Suspicious Cabinet File Expansion

 1title: Potentially Suspicious Cabinet File Expansion
 2id: 9f107a84-532c-41af-b005-8d12a607639f
 3status: test
 4description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
 5references:
 6    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
 7    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
 8author: Bhabesh Raj, X__Junior (Nextron Systems)
 9date: 2021/07/30
10modified: 2024/03/05
11tags:
12    - attack.defense_evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_cmd:
19        Image|endswith: '\expand.exe'
20        CommandLine|contains|windash: '-F:'
21    selection_folders_1:
22        CommandLine|contains:
23            - ':\Perflogs\'
24            - ':\Users\Public\'
25            - '\Temporary Internet'
26            - ':\ProgramData'
27            - '\AppData\Local\Temp'
28            - '\AppData\Roaming\Temp'
29            - ':\Windows\Temp'
30    selection_folders_2:
31        - CommandLine|contains|all:
32              - ':\Users\'
33              - '\Favorites\'
34        - CommandLine|contains|all:
35              - ':\Users\'
36              - '\Favourites\'
37        - CommandLine|contains|all:
38              - ':\Users\'
39              - '\Contacts\'
40    filter_optional_dell:
41        # Launched by Dell ServiceShell.exe
42        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
43        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
44    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
45falsepositives:
46    - System administrator Usage
47level: medium