From 5fac8cb7df3f90c009fb745ba532abb1f64cdfd3 Mon Sep 17 00:00:00 2001
From: jstnk9 <joselsm94@gmail.com>
Date: Thu, 8 Feb 2024 16:57:23 +0100
Subject: [PATCH] Merge PR #4692 from @jstnk9 - Add new rules related to
 IExpress abuse

new: New Self Extracting Package Created Via IExpress.EXE
new: Self Extraction Directive File Created In Potentially Suspicious Location
new: Potentially Suspicious Self Extraction Directive File Created
new: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../proc_creation_win_iexpress_execution.yml  | 36 +++++++++++++++++
 .../file_event_win_sed_file_creation.yml      | 36 +++++++++++++++++
 ...ble_detected_win_susp_embeded_sed_file.yml | 30 ++++++++++++++
 ...c_creation_win_iexpress_susp_execution.yml | 39 +++++++++++++++++++
 tests/logsource.json                          |  1 +
 5 files changed, 142 insertions(+)
 create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml
 create mode 100644 rules/windows/file/file_event/file_event_win_sed_file_creation.yml
 create mode 100644 rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml

diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml
new file mode 100644
index 000000000..aa976ace8
--- /dev/null
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml
@@ -0,0 +1,36 @@
+title: New Self Extracting Package Created Via IExpress.EXE
+id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a
+status: experimental
+description: |
+    Detects the "iexpress.exe" utility creating self-extracting packages.
+    Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
+    Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
+references:
+    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
+    - https://en.wikipedia.org/wiki/IExpress
+    - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
+    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024/02/05
+tags:
+    - attack.execution
+    - attack.t1218
+    - detection.threat_hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1_parent:
+        ParentImage|endswith: '\iexpress.exe'
+    selection_1_img:
+        - Image|endswith: '\makecab.exe'
+        - OriginalFileName: 'makecab.exe'
+    selection_2_img:
+        - Image|endswith: '\iexpress.exe'
+        - OriginalFileName: 'IEXPRESS.exe'
+    selection_2_cli:
+        CommandLine|contains: ' /n '
+    condition: all of selection_1_* or all of selection_2_*
+falsepositives:
+    - Administrators building packages using iexpress.exe
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml
new file mode 100644
index 000000000..b6147a2bb
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml
@@ -0,0 +1,36 @@
+title: Self Extraction Directive File Created In Potentially Suspicious Location
+id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
+related:
+    - id: ab90dab8-c7da-4010-9193-563528cfa347
+      type: derived
+status: experimental
+description: |
+    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
+    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
+    Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
+references:
+    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
+    - https://en.wikipedia.org/wiki/IExpress
+    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024/02/05
+tags:
+    - attack.execution
+    - attack.t1218
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains:
+            - ':\ProgramData\'
+            - ':\Temp\'
+            - ':\Windows\System32\Tasks\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - '\AppData\Local\Temp\'
+        TargetFilename|endswith: '.sed'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml
new file mode 100644
index 000000000..88cc73726
--- /dev/null
+++ b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml
@@ -0,0 +1,30 @@
+title: Potentially Suspicious Self Extraction Directive File Created
+id: ab90dab8-c7da-4010-9193-563528cfa347
+related:
+    - id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
+      type: derived
+status: experimental
+description: |
+    Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
+    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
+    Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
+    Usually ".sed" files are simple ini files and not PE binaries.
+references:
+    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
+    - https://en.wikipedia.org/wiki/IExpress
+    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024/02/05
+tags:
+    - attack.execution
+    - attack.t1218
+logsource:
+    product: windows
+    category: file_executable_detected
+detection:
+    selection:
+        TargetFilename|endswith: '.sed'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml
new file mode 100644
index 000000000..52264203a
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml
@@ -0,0 +1,39 @@
+title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
+id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
+status: experimental
+description: |
+    Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
+    This behavior has been observed in-the-wild by different threat actors.
+references:
+    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
+    - https://en.wikipedia.org/wiki/IExpress
+    - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
+    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/02/05
+tags:
+    - attack.execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
+    selection_img:
+        - Image|endswith: '\iexpress.exe'
+        - OriginalFileName: 'IEXPRESS.exe'
+    selection_cli:
+        CommandLine|contains: ' /n '
+    selection_paths:
+        CommandLine|contains:
+            # Note: Add more uncommon paths that fit your organizational needs.
+            - ':\ProgramData\'
+            - ':\Temp\'
+            - ':\Windows\System32\Tasks\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - '\AppData\Local\Temp\'
+    condition: all of selection_*
+falsepositives:
+    - Administrators building packages using iexpress.exe
+level: high
diff --git a/tests/logsource.json b/tests/logsource.json
index 150df29f0..0f9b671ae 100644
--- a/tests/logsource.json
+++ b/tests/logsource.json
@@ -26,6 +26,7 @@
                                 "SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"],
                 "raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
                 "file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
+                "file_executable_detected":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "Hashes", "User"],
                 "registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"],
                 "registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"],
                 "registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"],