ISO File Write to Suspicious Folder (RedCanary Threat Detection Report)
Detects files written to user downloads folder or appdata folder, associated with Mark-of-the-Web Bypass. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: ISO File Write to Suspicious Folder (RedCanary Threat Detection Report)
2id: bedf5cac-6332-4463-98ab-818f9e31234c
3status: experimental
4description: Detects files written to user downloads folder or appdata folder, associated with Mark-of-the-Web Bypass. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/mark-of-the-web-bypass/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.defense_evasion
11 - attack.t1553.005
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection_iso:
17 TargetFilename|endswith: '.iso'
18 selection_user_downloads:
19 TargetFilename|contains|all:
20 - 'Users'
21 - 'Downloads'
22 selection_appdata:
23 TargetFilename|contains: 'appdata'
24 condition: selection_iso and (selection_user_downloads or selection_appdata)
25falsepositives:
26 - Unknown
27level: low```
References
-
Windows uses the Mark-of-the-Web to indicate that a file originated from the Internet, and adversaries have a few methods for bypassing it.
Read More
Related rules
- CMD Launching Batch Script Stored on External Drive (Chromeloader)
- Potential Homoglyph Attack Using Lookalike Characters
- Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report)
- Rundll32 Application Bypass with DllRegisterServer Function (RedCanary Threat Detection Report)
- Rundll32 Injection into LSASS (RedCanary Threat Detection Report)