Detectionmediumtest

Potentially Suspicious Self Extraction Directive File Created

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Joseliyo SanchezCreated Mon Feb 05ab90dab8-c7da-4010-9193-563528cfa347windows

Log Source

Windowsfile_executable_detected

ProductWindows← raw: windows

Categoryfile_executable_detected← raw: file_executable_detected

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '.sed'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Related Rules

DerivedDetectionmedium

Self Extraction Directive File Created In Potentially Suspicious Location

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

ab90dab8-c7da-4010-9193-563528cfa347

Status

test

Level

medium

Type

Detection

Created

Mon Feb 05

Author

Joseliyo Sanchez

Path

rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub