Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Self Extraction Directive File Created In Potentially Suspicious Location

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Joseliyo SanchezCreated Mon Feb 05760e75d8-c3b5-409b-a9bf-6130b4c4603fwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetFilename|contains:
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
        TargetFilename|endswith: '.sed'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
strontic.github.io
2
Resolving title…
en.wikipedia.org
3
Resolving title…
virustotal.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Potentially Suspicious Self Extraction Directive File Created

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
760e75d8-c3b5-409b-a9bf-6130b4c4603f
Status
test
Level
medium
Type
Detection
Created
Mon Feb 05
Author
Joseliyo Sanchez
Path
rules/windows/file/file_event/file_event_win_sed_file_creation.yml
Raw Tags
attack.defense-evasionattack.t1218
View on GitHub