create Cabinet on Windows

rule:
  meta:
    name: create Cabinet on Windows
    namespace: data-manipulation/compression
    authors:
      - michael.hunhoff@mandiant.com
      - jakub.jozwiak@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Collection::Archive Collected Data::Archive via Library [T1560.002]
    mbc:
      - Data::Compress Data [C0024]
    references:
      - https://learn.microsoft.com/en-us/windows/win32/devnotes/creating-a-cabinet
    examples:
      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
  features:
    - and:
      - match: create File Compression Interface context on Windows
      - or:
        - api: cabinet.FCIAddFile = add file to Cabinet
        - api: cabinet.FCIFlushFolder = flush current folder under construction
        - api: cabinet.FCIFlushCabinet = complete current cabinet
        - api: cabinet.FCIDestroy = delete an open FCI context