blue-team-tools/rules/windows/process_creation/sysmon_expand_cabinet_files.yml

title: Cabinet File Expansion
status: experimental
id: 9f107a84-532c-41af-b005-8d12a607639f
author: Bhabesh Raj
date: 2021/07/30
modified: 2021/08/31
description: Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack
references:
    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
tags:
    - attack.execution
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\expand.exe'
        CommandLine|contains:
            - '.cab'
            - '/F:'
            - '-F:'
            - 'C:\ProgramData\' #Suspicious paths to curb FPs if any
            - 'C:\Public\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\Temp\'
    condition: selection
fields:
    - ComputerName
    - User
    - CommandLine
    - ParentCommandLine
falsepositives:
    - System administrator Usage
level: medium