ISO or Image Mount Indicator in Recent Files

calendar Aug 28, 2023 · attack.initial_access attack.t1566.001  ·
Share on: linkedin copy

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Sigma rule (View on GitHub)

 1title: ISO or Image Mount Indicator in Recent Files
 2id: 4358e5a5-7542-4dcb-b9f3-87667371839b
 3status: test
 4description: |
 5    Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
 6    This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.    
 7references:
 8    - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
 9    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
10    - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
11    - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
12author: Florian Roth (Nextron Systems)
13date: 2022/02/11
14tags:
15    - attack.initial_access
16    - attack.t1566.001
17logsource:
18    product: windows
19    category: file_event
20detection:
21    selection:
22        TargetFilename|endswith:
23            - '.iso.lnk'
24            - '.img.lnk'
25            - '.vhd.lnk'
26            - '.vhdx.lnk'
27        TargetFilename|contains: '\Microsoft\Windows\Recent\'
28    condition: selection
29falsepositives:
30    - Cases in which a user mounts an image file for legitimate reasons
31level: medium

References

Related rules

to-top