This detection rule identifies the creation of Self Extraction Directive (SED) files, which typically have the ".sed" extension. SED files are associated with the Windows utility "iexpress.exe," which is commonly used to create self-extracting packages. However, threat actors have been known to exploit this utility to generate potentially malicious Portable Executable (PE) files that include embedded SED files. Such anomalies are concerning, as conventional SED files are usually simple INI configuration files rather than executable binaries. The presence of an SED file can indicate a defense evasion technique, allowing attackers to embed malicious payloads within seemingly benign file formats. This rule operates by monitoring the filesystem for new files with the specified extension and can help in detecting suspicious activities indicative of malware deployment or other malicious behavior.