Detectionmediumtest

Creation of a Diagcab

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Jun 083d0ed417-3d94-4963-a562-4a92c940656awindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '.diagcab'
    condition: selection

False Positives

Legitimate microsoft diagcab

References

Resolving title…

threadreaderapp.com

MITRE ATT&CK

Tactics

TA0042 · Resource Development

Rule Metadata

Rule ID

3d0ed417-3d94-4963-a562-4a92c940656a

Status

test

Level

medium

Type

Detection

Created

Wed Jun 08

Author

François Hubaut

Path

rules/windows/file/file_event/file_event_win_susp_diagcab.yml

Raw Tags

attack.resource-development

View on GitHub