Medium RiskWindowsLegitimateCommonly Abused
makecab.exeSYSTEM UTILITYmakecab.exe - Cabinet Maker LOLBin Security Analysis
makecab.exe is a Windows utility for **creating cabinet (.cab) archive files**. It can be abused as a **LOLBin for data compression** before exfiltration and for **file staging**. While less commonly abused, it provides a legitimate way to compress data without external tools.
Risk Summary
MEDIUM priority for SOC triage. makecab.exe is a legitimate compression utility that can be used for data staging before exfiltration. Monitor for compression of sensitive files or unusual batch compression activity.
Overview
What is makecab.exe?
makecab.exe creates Microsoft Cabinet (.cab) archive files.
Core Functions
Archive Creation:
- Compress files to .cab
- Create installation packages
- System file compression
Security Significance
- Data Staging: Compress before exfil
- Trusted Binary: Microsoft signed
- LOLBin: Can aid attacks
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\makecab.exe |
| Parent | cmd.exe, install scripts |
| Context | Software installation |
Common Locations
C:\Windows\System32\makecab.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Context: Software packaging
System operations
Files: Non-sensitive data
SUSPICIOUS
Context: After reconnaissance
Compressing user data
Files: Documents, credentials
Large batch operations
Abuse Techniques
Attack Techniques
Technique #1: Data Staging (T1074)
Compress Before Exfiltration:
makecab sensitive.docx staged.cab
Technique #2: Batch Compression
for %f in (*.doc) do makecab %f
Detection Guidance
Detection Strategies
Priority #1: Sensitive File Compression
Process = "makecab.exe" AND
CommandLine CONTAINS [".doc", ".xls", ".pst", "password"]
→ ALERT: HIGH
Priority #2: Bulk Operations
makecab.exe executions > 10 in 5 minutes
→ ALERT: MEDIUM - Possible staging
Remediation Steps
Protection and Remediation
Defense: Monitor Data Compression
Alert on compression of sensitive file types.
If Compromise Suspected
- Identify what files were compressed
- Locate .cab files created
- Check for exfiltration
Investigation Checklist
Investigation Checklist
- Review command line arguments
- Identify compressed files
- Check for bulk operations
- Look for exfiltration activity
MITRE ATT&CK Techniques
Last verified: January 18, 2026