← Back to Explore
sigmamediumHunting
Self Extraction Directive File Created In Potentially Suspicious Location
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Detection Query
selection:
TargetFilename|contains:
- :\ProgramData\
- :\Temp\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\
TargetFilename|endswith: .sed
condition: selection
Author
Joseliyo Sanchez, @Joseliyo_Jstnk
Created
2024-02-05
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Self Extraction Directive File Created In Potentially Suspicious Location
id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
related:
- id: ab90dab8-c7da-4010-9193-563528cfa347
type: derived
status: test
description: |
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
TargetFilename|endswith: '.sed'
condition: selection
falsepositives:
- Unknown
level: medium