Suspicious Extrac32 Alternate Data Stream Execution

calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.004  ·
Share on: linkedin copy

Extract data from cab file and hide it in an alternate data stream

Sigma rule (View on GitHub)

 1title: Suspicious Extrac32 Alternate Data Stream Execution
 2id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
 3status: test
 4description: Extract data from cab file and hide it in an alternate data stream
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
 7author: frack113
 8date: 2021-11-26
 9modified: 2022-12-30
10tags:
11    - attack.defense-evasion
12    - attack.t1564.004
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains|all:
19            - extrac32.exe
20            - .cab
21        CommandLine|re: ':[^\\]'
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

  • Extrac32 on LOLBAS

    Extrac32.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top