Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Sigma rule (View on GitHub)
1title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
2id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
3status: experimental
4description: |
5 Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
6 This behavior has been observed in-the-wild by different threat actors.
7references:
8 - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
9 - https://en.wikipedia.org/wiki/IExpress
10 - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
11 - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
12author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
13date: 2024/02/05
14tags:
15 - attack.defense_evasion
16 - attack.t1218
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 # VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
22 selection_img:
23 - Image|endswith: '\iexpress.exe'
24 - OriginalFileName: 'IEXPRESS.exe'
25 selection_cli:
26 CommandLine|contains: ' /n '
27 selection_paths:
28 CommandLine|contains:
29 # Note: Add more uncommon paths that fit your organizational needs.
30 - ':\ProgramData\'
31 - ':\Temp\'
32 - ':\Windows\System32\Tasks\'
33 - ':\Windows\Tasks\'
34 - ':\Windows\Temp\'
35 - '\AppData\Local\Temp\'
36 condition: all of selection_*
37falsepositives:
38 - Administrators building packages using iexpress.exe
39level: high
References
Related rules
- Execute Files with Msdeploy.exe
- MSI Installation From Web
- Malicious Windows Script Components File Execution by TAEF Detection
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE