ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
Sigma rule (View on GitHub)
1title: ISO or Image Mount Indicator in Recent Files
2id: 4358e5a5-7542-4dcb-b9f3-87667371839b
3status: test
4description: |
5 Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
6 This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
7references:
8 - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
9 - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
10 - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
11 - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
12author: Florian Roth (Nextron Systems)
13date: 2022/02/11
14tags:
15 - attack.initial_access
16 - attack.t1566.001
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 TargetFilename|endswith:
23 - '.iso.lnk'
24 - '.img.lnk'
25 - '.vhd.lnk'
26 - '.vhdx.lnk'
27 TargetFilename|contains: '\Microsoft\Windows\Recent\'
28 condition: selection
29falsepositives:
30 - Cases in which a user mounts an image file for legitimate reasons
31level: medium
References
Related rules
- Windows Registry Trust Record Modification
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution