Suspicious Extrac32 Alternate Data Stream Execution

calendar Dec 30, 2022 · attack.defense_evasion attack.t1564.004  ·
Share on: linkedin copy

Extract data from cab file and hide it in an alternate data stream

Sigma rule (View on GitHub)

 1title: Suspicious Extrac32 Alternate Data Stream Execution
 2id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
 3status: test
 4description: Extract data from cab file and hide it in an alternate data stream
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
 7author: frack113
 8date: 2021/11/26
 9modified: 2022/12/30
10tags:
11    - attack.defense_evasion
12    - attack.t1564.004
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains|all:
19            - extrac32.exe
20            - .cab
21        CommandLine|re: ':[^\\]'
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top