← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potentially Suspicious Self Extraction Directive File Created

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml
title: Potentially Suspicious Self Extraction Directive File Created
id: ab90dab8-c7da-4010-9193-563528cfa347
related:
    - id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
      type: derived
status: test
description: |
    Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
    Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
    Usually ".sed" files are simple ini files and not PE binaries.
references:
    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
    - https://en.wikipedia.org/wiki/IExpress
    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    product: windows
    category: file_executable_detected
detection:
    selection:
        TargetFilename|endswith: '.sed'
    condition: selection
falsepositives:
    - Unknown
level: medium