Adversaries may create Self Extraction Directive files (.sed) in suspicious locations to execute malicious payloads covertly. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and prevent lateral movement or data exfiltration.
Detection Rule
title: Self Extraction Directive File Created In Potentially Suspicious Location
id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
related:
- id: ab90dab8-c7da-4010-9193-563528cfa347
type: derived
status: test
description: |
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
TargetFilename|endswith: '.sed'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where (TargetFileName contains ":\\ProgramData\\" or TargetFileName contains ":\\Temp\\" or TargetFileName contains ":\\Windows\\System32\\Tasks\\" or TargetFileName contains ":\\Windows\\Tasks\\" or TargetFileName contains ":\\Windows\\Temp\\" or TargetFileName contains "\\AppData\\Local\\Temp\\") and TargetFileName endswith ".sed"Scenario: A system administrator creates a .sed file as part of a legitimate software deployment using InstallShield or Inno Setup.
Filter/Exclusion: Exclude files created by known legitimate installers or in directories associated with software deployment (e.g., C:\Program Files\, C:\Windows\Temp\).
Scenario: A scheduled job runs a script that generates a .sed file as part of a configuration backup process using PowerShell or Batch scripts.
Filter/Exclusion: Exclude files created in directories used for backups or temporary scripts (e.g., C:\Backup\, C:\Temp\).
Scenario: A developer uses 7-Zip or WinRAR to create a self-extracting archive for internal distribution, resulting in a .sed file.
Filter/Exclusion: Exclude files created by known compression tools or in development directories (e.g., C:\Dev\, C:\Projects\).
Scenario: A system update or patching tool (e.g., Microsoft Update, WSUS, or Chocolatey) generates a .sed file during the installation process.
Filter/Exclusion: Exclude files created in system update directories (e.g., C:\Windows\SoftwareDistribution\, C:\ProgramData\Chocolatey\).
Scenario: A user manually creates a .sed file for testing purposes using a custom script or tool, such as SED Generator or Custom Archive Creator.
Filter/Exclusion: Exclude files created in user-specific directories (e.g., C:\Users\<User>\Documents\, C:\Users\<User>\Downloads\) or by known testing tools.