Attachment: SFX archive containing commands

calendar Aug 21, 2023  ·
Share on: linkedin copy

Attachment is an SFX archive that contains commands that will execute when opened. This can be used to run malicious commands, and has been observed in the wild.

Sublime rule (View on GitHub)

 1name: "Attachment: SFX archive containing commands"
 2description: |
 3    Attachment is an SFX archive that contains commands that will execute when opened. This can be used to run malicious commands, and has been observed in the wild.
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/"
 6  - "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(attachments,
12          .file_extension in~ ("exe", "sfx")
13          and any(file.explode(.),
14                  any(.scan.strings.strings,
15                      strings.ilike(., 'CMT;The comment below contains SFX script commands')
16                  )
17                  and any(.scan.strings.strings, strings.ilike(., 'Setup=*'))
18          )
19  )  
20attack_types:
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Evasion"
24  - "Scripting"
25detection_methods:
26  - "File analysis"
27id: "343e6c8c-8e46-5f3d-a5ee-c79360f73376"
to-top