This detection rule focuses on identifying the expansion or decompression of cabinet files (CAB) from unusual or suspicious directory paths, particularly those associated with known attack vectors, including Iranian threat actors like those targeting MeteorExpress. The rule leverages process creation logs from Windows systems, looking for specific command line calls related to the 'expand.exe' utility, which is commonly used to extract files from CAB archives. The detection criteria are specifically designed to capture instances where 'expand.exe' is executed with parameters indicating the extraction of files from folders that tend to be less common for legitimate administrative tasks (e.g., Perflogs, ProgramData, Temp directories). Additionally, there are filters in place to reduce false positives, notably excluding cases where the parent process is an update service from Dell that might legitimately use similar commands. This focus on both source and execution context helps enhance the likelihood of identifying potentially malicious activity while minimizing disruptions from benign attributions.