Self Extraction Directive File Created In Potentially Suspicious Location

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Sigma rule (View on GitHub)

 1title: Self Extraction Directive File Created In Potentially Suspicious Location
 2id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
 3related:
 4    - id: ab90dab8-c7da-4010-9193-563528cfa347
 5      type: derived
 6status: experimental
 7description: |
 8    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
 9    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
10    Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.    
11references:
12    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
13    - https://en.wikipedia.org/wiki/IExpress
14    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
15author: Joseliyo Sanchez, @Joseliyo_Jstnk
16date: 2024-02-05
17tags:
18    - attack.defense-evasion
19    - attack.t1218
20logsource:
21    category: file_event
22    product: windows
23detection:
24    selection:
25        TargetFilename|contains:
26            - ':\ProgramData\'
27            - ':\Temp\'
28            - ':\Windows\System32\Tasks\'
29            - ':\Windows\Tasks\'
30            - ':\Windows\Temp\'
31            - '\AppData\Local\Temp\'
32        TargetFilename|endswith: '.sed'
33    condition: selection
34falsepositives:
35    - Unknown
36level: medium

References

Related rules

to-top