← Back to Explore
sublimemediumRule
Attachment: SFX archive containing commands
Attachment is an SFX archive that contains commands that will execute when opened. This can be used to run malicious commands, and has been observed in the wild.
Detection Query
type.inbound
and any(attachments,
.file_extension in~ ("exe", "sfx")
and any(file.explode(.),
any(.scan.strings.strings,
strings.ilike(.,
'CMT;The comment below contains SFX script commands'
)
)
and any(.scan.strings.strings, strings.ilike(., 'Setup=*'))
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Attachment: SFX archive containing commands"
description: |
Attachment is an SFX archive that contains commands that will execute when opened. This can be used to run malicious commands, and has been observed in the wild.
references:
- "https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/"
- "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in~ ("exe", "sfx")
and any(file.explode(.),
any(.scan.strings.strings,
strings.ilike(.,
'CMT;The comment below contains SFX script commands'
)
)
and any(.scan.strings.strings, strings.ilike(., 'Setup=*'))
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Scripting"
detection_methods:
- "File analysis"
id: "343e6c8c-8e46-5f3d-a5ee-c79360f73376"