Update and add Cabinet archive related rules

mandiant · Aug 1, 2023 · 8f86352 · 8f86352
1 parent a49c174
commit 8f86352
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 27 deletions.
diff --git a/data-manipulation/compression/create-cabinet-file.yml b/data-manipulation/compression/create-cabinet-file.yml
@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: create Cabinet file
+    namespace: data-manipulation/compression
+    authors:
+      - [email protected]
+      - [email protected]
+    scope: function
+    att&ck:
+      - Collection::Archive Collected Data::Archive via Library [T1560.002]
+    mbc:
+      - Data::Compress Data [C0024]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/devnotes/creating-a-cabinet
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - and:
+      - match: create File Compression Interface context
+      - or:
+        - api: cabinet.FCIAddFile = add file to Cabinet
+        - api: cabinet.FCIFlushFolder = flush current folder under construction
+        - api: cabinet.FCIFlushCabinet = completes current cabinet
diff --git a/data-manipulation/compression/extract-files-from-cabinet.yml b/data-manipulation/compression/extract-files-from-cabinet.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: extract files from Cabinet
+    namespace: data-manipulation/compression
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Deobfuscate/Decode Files or Information [T1140]
+    mbc:
+      - Data::Decompress Data [C0025]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/devnotes/extracting-files-from-a-cabinet
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - and:
+      - match: create File Decompression Interface context
+      - or:
+        - api: cabinet.FDICopy
+        - api: cabinet.FDIDestroy
diff --git a/nursery/open-cabinet-file.yml → ...te-file-compression-interface-context.yml b/nursery/open-cabinet-file.yml → ...te-file-compression-interface-context.yml
@@ -1,12 +1,14 @@
 rule:
   meta:
-    name: open cabinet file
-    namespace: host-interaction/file-system
+    name: create File Compression Interface context
     authors:
       - [email protected]
+    lib: true
     scope: function
     references:
       - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
   features:
     - or:
       - api: cabinet.FCICreate
diff --git a/lib/create-file-decompression-interface-context.yml b/lib/create-file-decompression-interface-context.yml
@@ -0,0 +1,14 @@
+rule:
+  meta:
+    name: create File Decompression Interface context
+    authors:
+      - [email protected]
+    lib: true
+    scope: function
+    references:
+      - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - or:
+      - api: cabinet.FDICreate
diff --git a/nursery/add-file-to-cabinet-file.yml b/nursery/add-file-to-cabinet-file.yml
diff --git a/nursery/flush-cabinet-file.yml b/nursery/flush-cabinet-file.yml