IExpress.EXE Binary Proxy Execution Through Diamond.EXE

Rule Info

Name
IExpress.EXE Binary Proxy Execution Through Diamond.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of a binary named "diamond.exe" through "IExpress.EXE" The IExpress binary in almost all cases will spawn the "makecab" utility in order to create the ".cab" file requested by the users via the ".SED" files. Internally it offers a different mode if the ".SED" file specifies a CompressionMode called "QUANTUM". In this mode it will look for a binary named "diamond.exe". As this binary has been deprecated and is not available in newer version of Windows. Attackers can use this fact in order to execute any binary named "diamond.exe" located in the same directory of execution as IExpress.
Reference
Internal Research
Date
2024-03-12 00:00:00
Modified
None
Id
0de8c2eb-20d2-467f-963b-d197f1f475e1
Tags
attack.execution attack.t1218
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022