Create windows_expand_cabinet_file_extraction.yml

detections/endpoint/windows_expand_cabinet_file_extraction.yml

@@ -0,0 +1,85 @@
+name: Windows Expand Cabinet File Extraction
+id: 4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f
+version: 1
+date: '2025-09-18'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+description: |
+  Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with
+  emphasis on extractions into `C:\\ProgramData` or similar staging locations. In
+  recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into
+  ProgramData prior to persistence and execution. This behavior is a strong signal
+  for ingress tool transfer and staging of payloads.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+  from datamodel=Endpoint.Processes
+  where Processes.process_name="expand.exe"
+    (Processes.process="* -F:* *" OR Processes.process="* /F:* *")
+    (Processes.process="*.cab*" OR Processes.process="*\\ProgramData\\*")
+  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `windows_expand_cabinet_file_extraction_filter`
+how_to_implement: |
+  This analytic relies on process creation telemetry mapped to the Endpoint.Processes
+  datamodel (e.g., Sysmon EID 1 or EDR). Ensure full command-line logging is enabled
+  to capture expand.exe arguments, including `/F:*` or `-F:*` and destination paths.
+known_false_positives: |
+  Legitimate software deployment or administrators may use expand.exe for local
+  file extraction. Filter by approved deployment tools, signed parent processes,
+  and sanctioned paths.
+references:
+- https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: |
+    | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168
+    | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
+      values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories"
+      values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: expand.exe extracted cabinet contents on $dest$ executed by $user$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 30
+  - field: user
+    type: system
+    score: 30
+  threat_objects: 
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story:
+  - APT37 Rustonotto and FadeStealer
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1105
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
+
+