Potentially Suspicious Cabinet File Expansion

 1title: Potentially Suspicious Cabinet File Expansion
 2id: 9f107a84-532c-41af-b005-8d12a607639f
 3status: test
 4description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
 5references:
 6    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
 7    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
 8author: Bhabesh Raj, X__Junior (Nextron Systems)
 9date: 2021/07/30
10modified: 2023/11/02
11tags:
12    - attack.execution
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_cmd:
19        Image|endswith: '\expand.exe'
20        CommandLine|contains:
21            - '/F:'
22            - '-F:'
23    selection_folders_1:
24        CommandLine|contains:
25            - ':\Perflogs\'
26            - ':\Users\Public\'
27            - '\Temporary Internet'
28            - ':\ProgramData'
29            - '\AppData\Local\Temp'
30            - '\AppData\Roaming\Temp'
31            - ':\Windows\Temp'
32    selection_folders_2:
33        - CommandLine|contains|all:
34              - ':\Users\'
35              - '\Favorites\'
36        - CommandLine|contains|all:
37              - ':\Users\'
38              - '\Favourites\'
39        - CommandLine|contains|all:
40              - ':\Users\'
41              - '\Contacts\'
42    filter_optional_dell:
43        # Launched by Dell ServiceShell.exe
44        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
45        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
46    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
47falsepositives:
48    - System administrator Usage
49level: medium