This detection rule identifies the usage of the Windows built-in tool `expand.exe`, which is responsible for extracting Microsoft Cabinet (CAB) archives. The detection specifically looks for instances where extractions are made to sensitive locations such as `C:\ProgramData` or similar staging areas. The context for this rule stems from observed exploits associated with Advanced Persistent Threat (APT) group APT37, which was found to extract CAB payloads as part of its malicious activities. The intention behind tracking the usage of `expand.exe` is to flag potential infiltration cases where attackers stage their payloads before execution, indicating a possible breach requiring further investigation. The detection leverages various data sources, including Sysmon and Windows Event Logs, and applies a well-defined SPL search to filter relevant process creation events related to `expand.exe`. Users implementing this analytic should ensure comprehensive logging is enabled to capture necessary command line arguments and process details to effectively identify malicious activities.