splunk_escuTTP

Windows Cabinet File Extraction Via Expand

Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with emphasis on extractions into `C:\\ProgramData` or similar staging locations. In recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into ProgramData prior to persistence and execution. This behavior is a strong signal for ingress tool transfer and staging of payloads.

MITRE ATT&CK

T1105

Detection Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes
where Processes.process_name="expand.exe"
  (Processes.process="*-F:*" OR Processes.process="*/F:*")
  Processes.process="*\\ProgramData\\*"
by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_cabinet_file_extraction_via_expand_filter`

Author

Michael Haag, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 1Windows Event Log Security 4688CrowdStrike ProcessRollup2

References

https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader

Tags

APT37 Rustonotto and FadeStealerNetSupport RMM Tool Abuse

Raw Content

name: Windows Cabinet File Extraction Via Expand
id: 4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f
version: 3
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: |
    Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with
    emphasis on extractions into `C:\\ProgramData` or similar staging locations. In
    recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into
    ProgramData prior to persistence and execution. This behavior is a strong signal
    for ingress tool transfer and staging of payloads.
data_source:
    - Sysmon EventID 1
    - Windows Event Log Security 4688
    - CrowdStrike ProcessRollup2
search: |
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.process_name="expand.exe"
      (Processes.process="*-F:*" OR Processes.process="*/F:*")
      Processes.process="*\\ProgramData\\*"
    by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product
    | `drop_dm_object_name(Processes)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_cabinet_file_extraction_via_expand_filter`
how_to_implement: |
    This analytic relies on process creation telemetry mapped to the Endpoint.Processes
    datamodel (e.g., Sysmon EID 1 or EDR). Ensure full command-line logging is enabled
    to capture expand.exe arguments, including `/F:*` or `-F:*` and destination paths.
known_false_positives: |
    Legitimate software deployment or administrators may use expand.exe for local
    file extraction. Filter by approved deployment tools, signed parent processes,
    and sanctioned paths.
references:
    - https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: |
        | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168
        | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
          values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories"
          values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
          by normalized_risk_object
        | `security_content_ctime(firstTime)`
        | `security_content_ctime(lastTime)`
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: expand.exe extracted cabinet contents on $dest$ executed by $user$.
    risk_objects:
        - field: dest
          type: system
          score: 50
        - field: user
          type: system
          score: 50
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - APT37 Rustonotto and FadeStealer
        - NetSupport RMM Tool Abuse
    asset_type: Endpoint
    mitre_attack_id:
        - T1105
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog