Techniques
Sample rules
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- source: sigma
- technicques:
- t1218
Description
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: ' /n '
selection_img:
- Image|endswith: \iexpress.exe
- OriginalFileName: IEXPRESS.exe
selection_paths:
CommandLine|contains:
- :\ProgramData\
- :\Temp\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\