splApache-2.0from splunk/security_content
Windows Cabinet File Extraction Via Expand
Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with emphasis on extractions into `C:\\ProgramData` or similar staging locations. In recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into ProgramData prior to persistence and execution. This behavior is a strong signal for ingress tool transfer and staging of payloads.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_cabinet_file_extraction_via_expand.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes
where Processes.process_name="expand.exe"
(Processes.process="*-F:*" OR Processes.process="*/F:*")
Processes.process="*\\ProgramData\\*"
by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_cabinet_file_extraction_via_expand_filter`