Closed MalGamy12 closed 5 days ago
Update proc_creation_win_expand to refine detection for suspicious cabinet file expansion behavior.
update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares
RuleName: - UtcTime: 2024-11-10 12:22:35.429 ProcessGuid: {6e6be129-a58b-6730-e30b-000000001500} ProcessId: 5800 Image: C:\Windows\System32\expand.exe FileVersion: 5.00 (WinBuild.160101.0800) Description: LZ Expansion Utility Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: expand CommandLine: expand -f:* \\{HostName}\c$\programdata\microsoft\drm\go4.cab \\{HostName}\c$\programdata\microsoft\drm CurrentDirectory: User: LogonGuid: {6e6be129-268c-6729-ecfc-1d0000000000} LogonId: 0x1DFCEC TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=3080AD9250254478269B486EC15C25FF,SHA256=210A43646B58A60035CEDC30281F3414DD6A551A62255AAC7EF828C5D7EA46CE,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718 ParentProcessGuid: {6e6be129-a58b-6730-e20b-000000001500} ParentProcessId: 2072 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: cmd.exe /C expand -f:* \\{HostName}\c$\programdata\microsoft\drm\go4.cab \\{HostName}\c$\programdata\microsoft\drm ParentUser: ### SigmaHQ Rule Creation Conventions
Summary of the Pull Request
Update proc_creation_win_expand to refine detection for suspicious cabinet file expansion behavior.
Changelog
update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares
Example Log Event