Windows Cabinet File Extraction Via Expand

Original Source: [splunk source]
Name:Windows Cabinet File Extraction Via Expand
id:4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f
version:1
date:2025-09-18
author:Michael Haag, Splunk
status:production
type:TTP
Description:Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with emphasis on extractions into `C:\\ProgramData` or similar staging locations. In recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into ProgramData prior to persistence and execution. This behavior is a strong signal for ingress tool transfer and staging of payloads.
Data_source:
  • -Sysmon EventID 1
  • -Windows Event Log Security 4688
  • -CrowdStrike ProcessRollup2
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes
where Processes.process_name="expand.exe"
(Processes.process="*-F:*" OR Processes.process="*/F:*")
Processes.process="*\\ProgramData\\*"
by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_cabinet_file_extraction_via_expand_filter`


how_to_implement:This analytic relies on process creation telemetry mapped to the Endpoint.Processes datamodel (e.g., Sysmon EID 1 or EDR). Ensure full command-line logging is enabled to capture expand.exe arguments, including `/F:*` or `-F:*` and destination paths.
known_false_positives:Legitimate software deployment or administrators may use expand.exe for local file extraction. Filter by approved deployment tools, signed parent processes, and sanctioned paths.
References:
  -https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
drilldown_searches:
name:'View the detection results for - "$user$" and "$dest$"'
search:'%original_detection_search% | search user = "$user$" dest = "$dest$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$user$" and "$dest$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` '
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'APT37 Rustonotto and FadeStealer'
  asset_type:Endpoint
  mitre_attack_id:
    - 'T1105'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None

Related Analytic Stories


APT37 Rustonotto and FadeStealer