{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cabinet_extraction/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["APT37"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["cabinet_extraction","expand.exe","apt37","windows","endpoint"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying the use of \u003ccode\u003eexpand.exe\u003c/code\u003e, a legitimate Windows utility, for the extraction of Microsoft Cabinet (CAB) archives into suspicious directories. Threat actors may use this technique to bypass security controls and stage malicious payloads. The activity is considered suspicious when the destination path is \u003ccode\u003eC:\\\\ProgramData\u003c/code\u003e or other similar staging locations. In particular, APT37 has been observed using this method, expanding CAB files (e.g., wonder.cab) into \u003ccode\u003eC:\\\\ProgramData\u003c/code\u003e before establishing persistence and executing the payload. The technique is a strong indicator of initial access via tool transfer and subsequent payload staging, allowing attackers to execute further malicious actions on the compromised system. This detection is based on behavioral analysis, specifically focusing on the combination of \u003ccode\u003eexpand.exe\u003c/code\u003e execution and the extraction path.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker transfers a malicious CAB archive (e.g., wonder.cab) to the compromised system, potentially using tools like \u003ccode\u003ecertutil.exe\u003c/code\u003e or \u003ccode\u003ebitsadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eexpand.exe\u003c/code\u003e with the \u003ccode\u003e-F:*\u003c/code\u003e or \u003ccode\u003e/F:*\u003c/code\u003e option to extract the contents of the CAB archive.\u003c/li\u003e\n\u003cli\u003eThe destination directory for the extraction is set to \u003ccode\u003eC:\\\\ProgramData\u003c/code\u003e or a similar staging location.\u003c/li\u003e\n\u003cli\u003eThe extracted files may include malicious executables, scripts, or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task or registry entry that points to the extracted malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is launched, initiating further stages of the attack, such as establishing a command-and-control (C2) connection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of endpoints and subsequent data theft, ransomware deployment, or lateral movement within the network. The use of \u003ccode\u003eexpand.exe\u003c/code\u003e for malicious purposes can bypass traditional security measures, as it is a legitimate Windows utility. The impact is heightened when threat actors like APT37 employ this technique to deliver and stage sophisticated malware. This activity can affect any Windows endpoint within an organization, potentially leading to significant operational disruption and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with full command-line auditing (e.g., Sysmon Event ID 1 or Windows Event Log Security 4688) to capture \u003ccode\u003eexpand.exe\u003c/code\u003e arguments, including \u003ccode\u003e/F:*\u003c/code\u003e or \u003ccode\u003e-F:*\u003c/code\u003e, and destination paths, as described in the \u003cstrong\u003eHow To Implement\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule, \u003cstrong\u003eDetect Windows Cabinet File Extraction to ProgramData\u003c/strong\u003e, to your SIEM and tune it based on your environment. Pay special attention to potential false positives, as outlined in the \u003cstrong\u003eKnown False Positives\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eMonitor parent processes of \u003ccode\u003eexpand.exe\u003c/code\u003e to identify potential ingress tools or delivery mechanisms (e.g., \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eexpand.exe\u003c/code\u003e being executed with a destination path of \u003ccode\u003eC:\\\\ProgramData\u003c/code\u003e or similar staging directories.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint detection and response (EDR) policies to specifically detect and alert on \u003ccode\u003eexpand.exe\u003c/code\u003e being used to extract CAB archives into suspicious locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T18:01:21Z","date_published":"2026-05-28T18:01:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windows-cabinet-extraction/","summary":"Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.","title":"Windows Cabinet File Extraction via Expand.exe","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-cabinet-extraction/"}],"language":"en","title":"CraftedSignal Threat Feed — Cabinet_extraction","version":"https://jsonfeed.org/version/1.1"}