ISO File Created Within Temp Folders

 1title: ISO File Created Within Temp Folders
 2id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
 3status: test
 4description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
 5references:
 6    - https://twitter.com/Sam0x90/status/1552011547974696960
 7    - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
 8    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
 9author: '@sam0x90'
10date: 2022-07-30
11tags:
12    - attack.initial-access
13    - attack.t1566.001
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection_1:
19        TargetFilename|contains|all:
20            - '\AppData\Local\Temp\'
21            - '.zip\'
22        TargetFilename|endswith: '.iso'
23    selection_2:
24        TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
25        TargetFilename|endswith: '.iso'
26    condition: 1 of selection*
27fields:
28    - Image
29    - ComputerName
30    - TargetFileName
31falsepositives:
32    - Potential FP by sysadmin opening a zip file containing a legitimate ISO file
33level: high

References

• x.com

  
  Read More

• Threat actors leverages DLL-SideLoading to spread Qakbot

  

  QBot malware operators are using the Windows Calculator to side-load the malicious payload on target systems.

  
  Read More

• atomic-red-team/atomics/T1553.005/T1553.005.md at 0f229c0e42bfe7ca736a14023836d65baa941ed2 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Arbitrary Shell Command Execution Via Settingcontent-Ms
• Disk Image Mounting Via Hdiutil - MacOS
• Droppers Exploiting CVE-2017-11882
• Exploit for CVE-2017-0261
• Exploit for CVE-2017-8759