Makecab.EXE Execution With An Uncommon Directive File Extension

Rule Info

Name
Makecab.EXE Execution With An Uncommon Directive File Extension
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "makecab.exe" with a directive file with an uncommon extension. The typical extension for cab directive is the Diamond Directive File (.DDF). Not using this extension might be a sign of something uncommon or even suspicious worth investigating.
Reference
https://ss64.com/nt/makecab-directives.html
Date
2024-03-12 00:00:00
Modified
None
Id
962fe105-395d-4627-9d7f-ff07b9be27e9
Tags
attack.execution attack.t1218
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022