S0361: Expand
Analyst context for executives and security teams
Expand is a legitimate Windows command-line utility for extracting compressed CAB files. Its business relevance is that normal administrative tooling can be used to turn staged or transferred compressed content into executable files, as documented in the ATT&CK description for BBSRAT. This makes it a coverage question for Windows endpoint monitoring: can the organization distinguish routine CAB expansion from suspicious expansion into executable content, especially when it appears near file transfer, deobfuscation, or hiding behaviors?
Executive priority
Treat this as a living-off-the-land visibility issue rather than a standalone malware indicator. Leaders should ask whether Windows command execution, file creation, and archive/CAB extraction activity are logged well enough to support incident response and audit evidence. Priority is highest where Windows systems are critical to operations and where SOC teams depend on endpoint telemetry to reconstruct staging, lateral movement, and payload preparation activity.
Technical view
For SOC and IR teams, validate monitoring around expand.exe execution on Windows, including command line, parent process, user context, working directory, source CAB path, destination path, and subsequent file execution. ATT&CK provides no dedicated detection text for this tool, so detection should be relationship-driven: correlate Expand usage with Deobfuscate/Decode Files or Information (T1140), NTFS File Attributes hiding behavior (T1564.004), and Lateral Tool Transfer (T1570). Suspicious patterns may include CAB extraction followed by executable content creation or execution, use from unusual directories, unexpected users, or activity near internal file transfers.
Likely telemetry
- Windows process creation events for expand.exe and parent/child process context
- Command-line arguments showing CAB source and extraction destination
- File creation and modification events for extracted content, especially executable files
- Endpoint telemetry showing subsequent execution of extracted files
- Windows file system telemetry relevant to NTFS attributes or alternate data stream investigations where available
Detection direction
- Baseline legitimate administrative and software-maintenance use of Expand before alerting broadly, because it is a Microsoft Windows utility.
- Correlate Expand execution with creation of executable content, unusual destinations, or immediate child-process execution rather than treating any use as malicious.
- Review activity chains that include internal file transfer followed by CAB expansion, aligning with the Lateral Tool Transfer relationship.
- Where telemetry supports it, investigate whether extracted content is hidden or associated with NTFS file attribute abuse, aligning with T1564.004.
- Account for false positives from software installation, driver/package handling, and administrator maintenance tasks.
Mitigation priorities
- Ensure Windows endpoint logging captures process command lines and file creation events needed to reconstruct CAB expansion activity.
- Restrict unnecessary interactive or script-based use of system utilities through standard endpoint hardening and least-privilege administration where operationally feasible.
- Apply application control or allow-listing policies carefully, recognizing Expand is a legitimate Windows utility and may be needed for administration.
- Strengthen monitoring of file shares and internal transfer paths so compressed payload staging can be linked to later expansion activity.
- Document expected administrative use cases to support SOC triage, compliance evidence, and incident response scoping.
Analyst notes and limits
The supplied ATT&CK object identifies Expand as a Windows utility and notes use by BBSRAT to decompress a CAB file into executable content. The most useful defensive interpretation is not that Expand is inherently malicious, but that it can be part of payload staging, deobfuscation, hiding, or lateral movement workflows when seen in suspicious context.
ATT&CK provides no official detection text, no aliases, and no tactics directly assigned to the tool object. The defensive guidance above is derived only from the official description, external references, Windows platform field, and stated relationships to T1140, T1564.004, and T1570. Local environment baselines are required to separate normal administrative use from suspicious activity.
Expand
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Expand can be used to decompress a local or remote CAB file into an executable.CitationMicrosoft Expand Utility |
| Enterprise | T1570 | Lateral Tool Transfer | Expand can be used to download or upload a file over a network share.CitationLOLBAS Expand |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | Expand can be used to download or copy a file into an alternate data stream.CitationLOLBAS Expand |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3511d68c355f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Expand Utility
Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.
Open source URL -
[2]
Palo Alto Networks BBSRAT
Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
Open source URL -
[3]
mitre-attack S0361Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.