title: Cabinet File Expansion
author: Bhabesh Raj
date: 2021/07/30
description: Adversaries can use the inbuilt expand utility to decompress cab files
  as seen in recent Iranian MeteorExpress attack
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image:
    - '*\expand.exe'
  SELECTION_3:
    CommandLine:
    - '*.cab*'
    - '*/F:*'
    - '*-F:*'
    - '*C:\ProgramData\\*'
    - '*C:\Public\\*'
    - '*\AppData\Local\Temp\\*'
    - '*\AppData\Roaming\Temp\\*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- System administrator Usage
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 9f107a84-532c-41af-b005-8d12a607639f
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2021/08/31
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
status: experimental
tags:
- attack.execution
- attack.t1218
ruletype: SIGMA