Techniques
Sample rules
Windows CAB File on Disk
- source: splunk
- technicques:
- T1566.001
Description
The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is ‘*.cab’ and the action is ‘write’. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event.
Detection logic
| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name
| `drop_dm_object_name("Filesystem")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_cab_file_on_disk_filter`