Makecab.EXE Execution With Directive File

Rule Info

Name
Makecab.EXE Execution With Directive File
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "makecab.exe" with a directive file. Attackers can leverage makecab with a directive file in order to create ".cab" file while avoiding any mention of the files being compressed. As the ".DDF" file will contain all the information necessary for the compression.
Reference
https://ss64.com/nt/makecab-directives.html
Date
2024-03-12 00:00:00
Modified
None
Id
dd300e4e-d45b-4ec6-8e00-088ce7e5d017
Tags
attack.execution attack.t1218
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022