ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
Detects extraction of ISO, VHD, LNK, or IMG files from zip files. Commonly associated with QakBot and IcedID.
Sigma rule (View on GitHub)
1title: ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
2id: f853978d-343e-4879-ab56-dfe07f1f2f0b
3status: experimental
4description: Detects extraction of ISO, VHD, LNK, or IMG files from zip files. Commonly associated with QakBot and IcedID.
5references:
6 - https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/#:~:text=HTML%20smuggling%20is%20a%20technique,directly%20on%20the%20victim's%20device.
7 - https://www.malwarebytes.com/blog/news/2021/11/evasive-maneuvers-html-smuggling-explained
8author: Micah Babinski
9date: 2022/12/15
10tags:
11 - attack.s0650
12 - attack.s0483
13 - attack.defense_evasion
14 - attack.t1027
15 - attack.t1027.006
16 - attack.t1564
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\explorer.exe'
24 - '\WinRAR.exe'
25 TargetFilename|endswith:
26 - '.iso'
27 - '.vhd'
28 - '.img'
29 - '.lnk'
30 condition: selection
31falsepositives:
32 - Unknown
33level: medium```
References
-
* HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage. * Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload directly on the victim’s device. * Talos
Read More -
The intelligence team at Microsoft has recently revealed that banking malware are increasingly using a tactic called HTML smuggling. What is it, and why should internet users be concerned?
Read More
Related rules
- Web Browser Creates Zip Archive File (Sysmon)
- Suspicious User-Initiated Process Execution on External Drive (Old)
- Suspicious User-Initiated Process Execution on External Drive (Sysmon)
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Suspicious Process Execution in PerfLogs Directory