Detection rules › Sigma
Self Extraction Directive File Created In Potentially Suspicious Location
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
TargetFilename|contains: ':\ProgramData\'
TargetFilename|contains: ':\Temp\'
TargetFilename|contains: ':\Windows\System32\Tasks\'
TargetFilename|contains: ':\Windows\Tasks\'
TargetFilename|contains: ':\Windows\Temp\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: .sed
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|
TargetFilename | match |
|