This detection rule identifies suspicious use of the Extrac32 utility, a legitimate tool often abused for evasion techniques. It works by extracting data from a .cab file and hiding it within an Alternate Data Stream (ADS) in a Windows environment. The rule targets process creation events where the command line includes 'extrac32.exe' along with '.cab' files, specifically monitoring for instances where the command line contains a character following a colon that is not a backslash, which suggests potential redirection of output or use of ADS. The rule is classified as medium severity and could generate false positives, though the exact nature of these is undetermined. Its relevance is highlighted in relation to the techniques outlined in the ATT&CK framework, particularly concerning defense evasion tactics.