Process

unknown

makecab.exe

makecab.exe compresses files into Windows cabinet (.cab) archives. It is used in packaging and servicing. Attackers use it to compress data for exfiltration, shrinking and bundling collected files before sending them out.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS4
  • makecab {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:autoruns.cabADS · Hide data compressed into an alternate data stream
  • makecab {PATH_SMB:.exe} {PATH_ABSOLUTE}:file.cabADS · Hide data compressed into an alternate data stream
  • makecab {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab}Download · Download file and compress into a cab file
  • makecab /F {PATH:.ddf}Execute · Bypass command-line based detections

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

makecab.exe packs one or more files into a .cab cabinet archive, optionally driven by a directive file for multi-file cabinets. It is the counterpart to expand.exe. The genuine binary lives at C:\Windows\System32\makecab.exe.

Legitimately, makecab is used by installers, servicing, and log-packaging routines. What it is compressing, and where the archive goes, are what give an instance meaning.

Security notes

makecab.exe is used to archive data before exfiltration (T1560.001). Compressing collected files into a .cab makes them smaller and bundles them into one object that is easier to move, a common step between staging data and sending it out. A makecab run over documents or gathered files, producing an archive in a staging directory that subsequently leaves the host, fits the collect-archive-exfiltrate pattern.

Because makecab has legitimate packaging uses, what it compresses and where the archive ends up are what matter. Bundling user data under a script host, then transferring the result, separates exfiltration prep from ordinary packaging.

Anomaly signals4
  • Image path other than C:\Windows\System32\makecab.exehigh
  • An archive written to a staging path that is then sent over the networkhigh
  • Archiving documents or collected data from user directoriesmed
  • Parent is a script host or an unfamiliar process rather than an installermed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof makecab.exe?
Edit this page on GitHub