ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
Sigma rule (View on GitHub)
1title: ISO File Created Within Temp Folders
2id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
3status: test
4description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
5references:
6 - https://twitter.com/Sam0x90/status/1552011547974696960
7 - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
8 - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
9author: '@sam0x90'
10date: 2022/07/30
11tags:
12 - attack.initial_access
13 - attack.t1566.001
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection_1:
19 TargetFilename|contains|all:
20 - '\AppData\Local\Temp\'
21 - '.zip\'
22 TargetFilename|endswith: '.iso'
23 selection_2:
24 TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
25 TargetFilename|endswith: '.iso'
26 condition: 1 of selection*
27fields:
28 - Image
29 - ComputerName
30 - TargetFileName
31falsepositives:
32 - Potential FP by sysadmin opening a zip file containing a legitimate ISO file
33level: high
References
-
-
QBot malware operators are using the Windows Calculator to side-load the malicious payload on target systems.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Office Macro File Creation
- Password Protected ZIP File Opened (Email Attachment)
- ISO or Image Mount Indicator in Recent Files
- Windows Registry Trust Record Modification