detection.wiki

Detection rules › Sigma

Potentially Suspicious Cabinet File Expansion

Severity
medium
Author
Bhabesh Raj, X__Junior (Nextron Systems)
Source
upstream

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218 System Binary Proxy Execution

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection_cmd

CommandLine|contains: '-F:'
Image|endswith: '\expand.exe'

Stage 2: 1 of selection_folders_1

or:
CommandLine|contains: ':\Perflogs\'
CommandLine|contains: ':\ProgramData'
CommandLine|contains: ':\Users\Public\'
CommandLine|contains: ':\Windows\Temp\'
CommandLine|contains: '\Admin$\'
CommandLine|contains: '\AppData\Local\Temp\'
CommandLine|contains: '\AppData\Roaming\'
CommandLine|contains: '\C$\'
CommandLine|contains: '\Temporary Internet'

Stage 3: 1 of selection_folders_2

or:
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Contacts\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favorites\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favourites\'

Stage 4: not 1 of filter_optional_dell

CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -F:
  • :\Perflogs\ corpus 4 (sigma 4)
  • :\ProgramData
  • :\Users\ corpus 6 (sigma 6)
  • :\Users\Public\ corpus 14 (sigma 14)
  • :\Windows\Temp\ corpus 15 (sigma 15)
  • C:\ProgramData\Dell\UpdateService\Temp\
  • \Admin$\
  • \AppData\Local\Temp\ corpus 16 (sigma 16)
  • \AppData\Roaming\ corpus 10 (sigma 10)
  • \C$\
  • \Contacts\ corpus 6 (sigma 6)
  • \Favorites\ corpus 6 (sigma 6)
  • \Favourites\ corpus 6 (sigma 6)
  • \Temporary Internet corpus 6 (sigma 6)
Imageends_with
  • \expand.exe corpus 3 (sigma 3)
ParentImageeq
  • C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe