VHD Image Download Via Browser

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Sigma rule (View on GitHub)

 1title: VHD Image Download Via Browser
 2id: 8468111a-ef07-4654-903b-b863a80bbc95
 3status: test
 4description: |
 5    Detects creation of ".vhd"/".vhdx" files by browser processes.
 6    Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.    
 7references:
 8    - https://redcanary.com/blog/intelligence-insights-october-2021/
 9    - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
10    - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
11author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
12date: 2021/10/25
13modified: 2023/05/05
14tags:
15    - attack.resource_development
16    - attack.t1587.001
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        Image|endswith:
23            - '\brave.exe'
24            - '\chrome.exe'
25            - '\firefox.exe'
26            - '\iexplore.exe'
27            - '\maxthon.exe'
28            - '\MicrosoftEdge.exe'
29            - '\msedge.exe'
30            - '\msedgewebview2.exe'
31            - '\opera.exe'
32            - '\safari.exe'
33            - '\seamonkey.exe'
34            - '\vivaldi.exe'
35            - '\whale.exe'
36        # We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
37        TargetFilename|contains: '.vhd'
38    condition: selection
39falsepositives:
40    - Legitimate downloads of ".vhd" files would also trigger this
41level: medium

References

Related rules

to-top