Sigma rules for Meteor
1 rules · scoped to tool · back to Meteor
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
Image|endswith: '\expand.exe'
CommandLine|contains|windash: '-F:'
selection_folders_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\ProgramData'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Admin$\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\C$\'
- '\Temporary Internet'
selection_folders_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
filter_optional_dell:
# Launched by Dell ServiceShell.exe
ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
- System administrator Usage
level: medium