sigmaDRL-1.1from SigmaHQ/sigma

Self Extraction Directive File Created In Potentially Suspicious Location

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Quality

100

FP risk

—

Forks

Views

ATT&CK techniques

T1218

Rule sourcerules/windows/file/file_event/file_event_win_sed_file_creation.yml

title: Self Extraction Directive File Created In Potentially Suspicious Location
id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
related:
    - id: ab90dab8-c7da-4010-9193-563528cfa347
      type: derived
status: test
description: |
    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
    Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
references:
    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
    - https://en.wikipedia.org/wiki/IExpress
    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
        TargetFilename|endswith: '.sed'
    condition: selection
falsepositives:
    - Unknown
level: medium