Name:Windows Cabinet File Extraction Via Expand id:4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f version:1 date:2025-09-18 author:Michael Haag, Splunk status:production type:TTP Description:Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with
emphasis on extractions into `C:\\ProgramData` or similar staging locations. In
recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into
ProgramData prior to persistence and execution. This behavior is a strong signal
for ingress tool transfer and staging of payloads.
Data_source:
-Sysmon EventID 1
-Windows Event Log Security 4688
-CrowdStrike ProcessRollup2
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="expand.exe" (Processes.process="*-F:*" OR Processes.process="*/F:*") Processes.process="*\\ProgramData\\*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cabinet_file_extraction_via_expand_filter`
how_to_implement:This analytic relies on process creation telemetry mapped to the Endpoint.Processes
datamodel (e.g., Sysmon EID 1 or EDR). Ensure full command-line logging is enabled
to capture expand.exe arguments, including `/F:*` or `-F:*` and destination paths.
known_false_positives:Legitimate software deployment or administrators may use expand.exe for local
file extraction. Filter by approved deployment tools, signed parent processes,
and sanctioned paths.
References: -https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168
| stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories"
values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
by normalized_risk_object
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'APT37 Rustonotto and FadeStealer' asset_type:Endpoint mitre_attack_id: - 'T1105' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint