EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potentially Suspicious Cabinet File Expansion

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

MITRE ATT&CK

T1218
defense-evasion

Detection Query

selection_cmd:
  Image|endswith: \expand.exe
  CommandLine|contains|windash: "-F:"
selection_folders_1:
  CommandLine|contains:
    - :\Perflogs\
    - :\ProgramData
    - :\Users\Public\
    - :\Windows\Temp\
    - \Admin$\
    - \AppData\Local\Temp\
    - \AppData\Roaming\
    - \C$\
    - \Temporary Internet
selection_folders_2:
  - CommandLine|contains|all:
      - :\Users\
      - \Favorites\
  - CommandLine|contains|all:
      - :\Users\
      - \Favourites\
  - CommandLine|contains|all:
      - :\Users\
      - \Contacts\
filter_optional_dell:
  ParentImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe
  CommandLine|contains: C:\ProgramData\Dell\UpdateService\Temp\
condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*

Author

Bhabesh Raj, X__Junior (Nextron Systems)

Created

2021-07-30

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1218
Raw Content
title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        Image|endswith: '\expand.exe'
        CommandLine|contains|windash: '-F:'
    selection_folders_1:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\ProgramData'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Admin$\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\C$\'
            - '\Temporary Internet'
    selection_folders_2:
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
    filter_optional_dell:
        # Launched by Dell ServiceShell.exe
        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
    - System administrator Usage
level: medium