This detection rule identifies the use of 'iexpress.exe' to create self-extracting packages from Self Extraction Directive (SED) files located in potentially suspicious directories. 'iexpress.exe' is a Windows tool that allows users to create self-extracting executable files, commonly used for legitimate purposes such as software installations. However, threat actors have been known to exploit this utility to deliver malicious payloads or perform unauthorized modifications to a system. The detection leverages specific indicators such as the process command line containing specific patterns and the execution of 'iexpress.exe' from known suspicious file paths. The rule is designed to trigger under conditions that indicate potential misuse of 'iexpress.exe', specifically when invoked from directories traditionally associated with suspicious activity like 'ProgramData', 'Temp', and 'AppData'. The implementation of this rule can assist in identifying potential evasion techniques employed by attackers engaging in stealthy persistence or lateral movement activities on Windows systems.