LoFP / false positives will only be present if a process legitimately writes a .cab file to disk. modify the analytic as needed by file path. filter as needed.

Techniques

• T1566.001

Sample rules

Windows CAB File on Disk

• source: splunk
• technicques:
  • T1566.001

Description

The following analytic detects .cab files being written to disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on events where the file name is ‘*.cab’ and the action is ‘write’. This activity is significant as .cab files can be used to deliver malicious payloads, including embedded .url files that execute harmful code. If confirmed malicious, this behavior could lead to unauthorized code execution and potential system compromise. Analysts should review the file path and associated artifacts for further investigation.

Detection logic

| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name 
| `drop_dm_object_name("Filesystem")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_cab_file_on_disk_filter`