Suspicious Extrac32 Execution

Original Source: [Sigma source]
Title: Suspicious Extrac32 Execution
Status: test
Description:Download or Copy file with Extrac32
References:
  -https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
 Author: frack113
Date: 2021-11-26
modified:2022-08-13
Tags:
  • -'attack.command-and-control'
  • -'attack.t1105'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection_lolbas:
CommandLine|contains:'extrac32.exe' Image|endswith:'\extrac32.exe' OriginalFileName:'extrac32.exe'   selection_archive:
    CommandLine|contains: '.cab'
  selection_options:
    CommandLine|contains:
      -'/C'
      -'/Y'
      -' \\\\'

  condition:all of selection_*
Falsepositives:
  -Unknown
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.