Suspicious Invoke-Item From Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
Sigma rule (View on GitHub)
1title: Suspicious Invoke-Item From Mount-DiskImage
2id: 902cedee-0398-4e3a-8183-6f3a89773a96
3status: test
4description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
7 - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
8author: frack113
9date: 2022-02-01
10tags:
11 - attack.defense-evasion
12 - attack.t1553.005
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'Mount-DiskImage '
21 - '-ImagePath '
22 - Get-Volume
23 - '.DriveLetter'
24 - 'invoke-item '
25 - '):\'
26 condition: selection
27falsepositives:
28 - Legitimate PowerShell scripts
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
Read More
Related rules
- Suspicious Mount-DiskImage
- Suspicious Unblock-File
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType