legitimate software deployment or administrators may use expand.exe for local file extraction. filter by approved deployment tools, signed parent processes, and sanctioned paths.

Techniques

T1105

Sample rules

Windows Cabinet File Extraction Via Expand

source: splunk
technicques:
- T1105

Description

Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with emphasis on extractions into C:\\ProgramData or similar staging locations. In recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into ProgramData prior to persistence and execution. This behavior is a strong signal for ingress tool transfer and staging of payloads.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes
where Processes.process_name="expand.exe"
  (Processes.process="*-F:*" OR Processes.process="*/F:*")
  Processes.process="*\\ProgramData\\*"
by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_cabinet_file_extraction_via_expand_filter`