Detects a dropper from a CAB file mentioned in the article

Hunt Hypothesis

A dropper is being executed from a CAB file, which is commonly used to package malicious payloads for deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware distribution and lateral movement tactics.

YARA Rule

rule Mal_Dropper_httpEXE_from_CAB : Dropper {
	meta:
		description = "Detects a dropper from a CAB file mentioned in the article"
		author = "Florian Roth"
		reference = "https://goo.gl/13Wgy1"
		date = "2016-05-25"
		score = 60
		hash1 = "9e7e5f70c4b32a4d5e8c798c26671843e76bb4bd5967056a822e982ed36e047b"
	strings:
		$s1 = "029.Hdl" fullword ascii
		$s2 = "http.exe" fullword ascii
	condition:
		( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://goo.gl/13Wgy1
• Source Rule

False Positive Guidance

• Scenario: A system administrator is performing a scheduled Windows Update that includes CAB files as part of the update package.
  Filter/Exclusion: Check for the presence of Windows Update or wuau in the process name or command line.

• Scenario: A legitimate software deployment tool (e.g., Microsoft System Center Configuration Manager) is distributing CAB files as part of a patch or configuration update.
  Filter/Exclusion: Include a filter for the deployment tool’s process name (e.g., ConfigMgr.exe) or the associated service name (e.g., SCCM).

• Scenario: A user is manually extracting CAB files using a tool like expand.exe or cabarc as part of a software installation or troubleshooting task.
  Filter/Exclusion: Filter by the presence of expand.exe, cabarc, or the user’s known administrative tasks in the command line.

• Scenario: A scheduled backup job is extracting CAB files from an archive to restore a system state or application configuration.
  Filter/Exclusion: Check for the presence of backup tools like Veeam, Commvault, or Veritas in the process name or command line.

• Scenario: A developer is using a CAB file to package and distribute an internal application, and the CAB is being extracted as part of the build or deployment process.
  Filter/Exclusion: Filter by the developer’s username or the build tool (e.g., MSBuild, npm, Maven) in the command line or process context.