Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

New Self Extracting Package Created Via IExpress.EXE

Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Joseliyo SanchezCreated Mon Feb 05c2b478fc-09bf-40b2-8768-ab3ec8d61c9awindows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_1_parent:
        ParentImage|endswith: '\iexpress.exe'
    selection_1_img:
        - Image|endswith: '\makecab.exe'
        - OriginalFileName: 'makecab.exe'
    selection_2_img:
        - Image|endswith: '\iexpress.exe'
        - OriginalFileName: 'IEXPRESS.exe'
    selection_2_cli:
        CommandLine|contains: ' /n '
    condition: all of selection_1_* or all of selection_2_*
False Positives

Administrators building packages using iexpress.exe

References
1
Resolving title…
strontic.github.io
2
Resolving title…
en.wikipedia.org
3
Resolving title…
decoded.avast.io
4
Resolving title…
virustotal.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
c2b478fc-09bf-40b2-8768-ab3ec8d61c9a
Status
test
Level
medium
Type
Threat Hunt
Created
Mon Feb 05
Author
Joseliyo Sanchez
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml
Raw Tags
attack.defense-evasionattack.t1218detection.threat-hunting
View on GitHub