Update and add Cabinet archive related rules (#808)

* Update and add Cabinet archive related rules
mandiant · Nov 29, 2023 · fa61e11 · fa61e11
1 parent e0d5e95
commit fa61e11
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 27 deletions.
diff --git a/data-manipulation/compression/create-cabinet-on-windows.yml b/data-manipulation/compression/create-cabinet-on-windows.yml
@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: create Cabinet on Windows
+    namespace: data-manipulation/compression
+    authors:
+      - [email protected]
+      - [email protected]
+    scope: function
+    att&ck:
+      - Collection::Archive Collected Data::Archive via Library [T1560.002]
+    mbc:
+      - Data::Compress Data [C0024]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/devnotes/creating-a-cabinet
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - and:
+      - match: create File Compression Interface context on Windows
+      - or:
+        - api: cabinet.FCIAddFile = add file to Cabinet
+        - api: cabinet.FCIFlushFolder = flush current folder under construction
+        - api: cabinet.FCIFlushCabinet = complete current cabinet
+        - api: cabinet.FCIDestroy = delete an open FCI context
diff --git a/data-manipulation/compression/extract-cabinet-on-windows.yml b/data-manipulation/compression/extract-cabinet-on-windows.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: extract Cabinet on Windows
+    namespace: data-manipulation/compression
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Deobfuscate/Decode Files or Information [T1140]
+    mbc:
+      - Data::Decompress Data [C0025]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/devnotes/extracting-files-from-a-cabinet
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - and:
+      - match: create File Decompression Interface context on Windows
+      - or:
+        - api: cabinet.FDICopy
+        - api: cabinet.FDIDestroy
diff --git a/nursery/open-cabinet-file.yml → ...pression-interface-context-on-windows.yml b/nursery/open-cabinet-file.yml → ...pression-interface-context-on-windows.yml
@@ -1,12 +1,14 @@
 rule:
   meta:
-    name: open cabinet file
-    namespace: host-interaction/file-system
+    name: create File Compression Interface context on Windows
     authors:
       - [email protected]
+    lib: true
     scope: function
     references:
       - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
   features:
     - or:
       - api: cabinet.FCICreate
diff --git a/lib/create-file-decompression-interface-context-on-windows.yml b/lib/create-file-decompression-interface-context-on-windows.yml
@@ -0,0 +1,14 @@
+rule:
+  meta:
+    name: create File Decompression Interface context on Windows
+    authors:
+      - [email protected]
+    lib: true
+    scope: function
+    references:
+      - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - or:
+      - api: cabinet.FDICreate
diff --git a/nursery/add-file-to-cabinet-file.yml b/nursery/add-file-to-cabinet-file.yml
diff --git a/nursery/flush-cabinet-file.yml b/nursery/flush-cabinet-file.yml