The creation of a diagcab file may indicate the presence of malicious activity, as this file type is often associated with exploit kits or malware distribution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise vectors and mitigate risks associated with unknown or suspicious file executions.
Detection Rule
title: Creation of a Diagcab
id: 3d0ed417-3d94-4963-a562-4a92c940656a
status: test
description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
references:
- https://threadreaderapp.com/thread/1533879688141086720.html
author: frack113
date: 2022-06-08
tags:
- attack.resource-development
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.diagcab'
condition: selection
falsepositives:
- Legitimate microsoft diagcab
level: medium
imFileEvent
| where TargetFileName endswith ".diagcab"Scenario: Legitimate Windows Update or System Repair Tool
Description: A legitimate system repair tool or Windows Update process may generate a diagcab file during system diagnostics or repair operations.
Filter/Exclusion: Exclude files created in the %windir%\System32 directory or by processes associated with svchost.exe or wuauserv.exe.
Scenario: Microsoft Diagnostics and Recovery Toolset (DaRT) Usage
Description: IT administrators may use DaRT (Diagnostics and Recovery Toolset) to create diagcab files for system diagnostics or recovery purposes.
Filter/Exclusion: Exclude files created in the C:\Windows\Temp directory or by processes with the image name diagcab.exe (if known to be part of DaRT).
Scenario: Scheduled System Diagnostic Job
Description: A scheduled task may be configured to run a diagnostic tool that generates a diagcab file as part of routine system health checks.
Filter/Exclusion: Exclude files created by processes with the Task Scheduler service or by tasks with known names like SystemDiagnosticJob.
Scenario: Third-Party Software Installer
Description: Some third-party software installers or deployment tools may generate diagcab files as part of their installation or configuration process.
Filter/Exclusion: Exclude files created by known legitimate installers such as Microsoft Visual Studio Installer, Adobe Installer, or Oracle Universal Installer.
Scenario: User-Initiated System Diagnostic Tool
Description: A user may manually run a diagnostic tool (e.g., msconfig, System File Checker, or third-party utilities) that creates a diagcab file for troubleshooting.
Filter/Exclusion: Exclude files created by user-initiated processes in the `C:\Users<