Windows Office Product Dropped Cab or Inf File

name: Windows Office Product Dropped Cab or Inf File
id: dbdd251e-dd45-4ec9-a555-f5e151391746
version: 9
date: '2026-04-15'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.
data_source:
    - Sysmon EventID 1 AND Sysmon EventID 11
    - Windows Event Log Security 4688 AND Sysmon EventID 11
search: |-
    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
      WHERE `process_office_products`
      BY _time span=1h Processes.action
         Processes.dest Processes.original_file_name Processes.parent_process
         Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
         Processes.parent_process_name Processes.parent_process_path Processes.process
         Processes.process_exec Processes.process_guid Processes.process_hash
         Processes.process_id Processes.process_integrity_level Processes.process_name
         Processes.process_path Processes.user Processes.user_id
         Processes.vendor_product
    | `drop_dm_object_name(Processes)`
    | rename process_guid as proc_guid
    | join proc_guid, _time [
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
      WHERE Filesystem.file_name IN ("*.cab", "*.inf")
      BY _time span=1h Filesystem.dest
         Filesystem.file_create_time Filesystem.file_name Filesystem.file_path
         Filesystem.process_guid
    | `drop_dm_object_name(Filesystem)`
    | rename process_guid as proc_guid
    | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid]
    | dedup file_create_time
    | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid
    | `windows_office_product_dropped_cab_or_inf_file_filter`
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.
known_false_positives: The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.
references:
    - https://twitter.com/vxunderground/status/1436326057179860992?s=20
    - https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
    - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
rba:
    message: An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - Spearphishing Attachments
        - Microsoft MSHTML Remote Code Execution CVE-2021-40444
        - Compromised Windows Host
        - APT37 Rustonotto and FadeStealer
    asset_type: Endpoint
    cve:
        - CVE-2021-40444
    mitre_attack_id:
        - T1566.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog