Self Extraction Directive File Created In Potentially Suspicious Location
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Sigma rule (View on GitHub)
1title: Self Extraction Directive File Created In Potentially Suspicious Location
2id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
3related:
4 - id: ab90dab8-c7da-4010-9193-563528cfa347
5 type: derived
6status: test
7description: |
8 Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
9 These files are used by the "iexpress.exe" utility in order to create self extracting packages.
10 Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
11references:
12 - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
13 - https://en.wikipedia.org/wiki/IExpress
14 - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
15author: Joseliyo Sanchez, @Joseliyo_Jstnk
16date: 2024-02-05
17tags:
18 - attack.defense-evasion
19 - attack.t1218
20logsource:
21 category: file_event
22 product: windows
23detection:
24 selection:
25 TargetFilename|contains:
26 - ':\ProgramData\'
27 - ':\Temp\'
28 - ':\Windows\System32\Tasks\'
29 - ':\Windows\Tasks\'
30 - ':\Windows\Temp\'
31 - '\AppData\Local\Temp\'
32 TargetFilename|endswith: '.sed'
33 condition: selection
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- Potentially Suspicious Self Extraction Directive File Created
- MpiExec Lolbin
- Potential Compromised 3CXDesktopApp Execution
- Potentially Suspicious Cabinet File Expansion
- Binary Proxy Execution Via Dotnet-Trace.EXE