Suspicious Invoke-Item From Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Sigma rule (View on GitHub)

 1title: Suspicious Invoke-Item From Mount-DiskImage
 2id: 902cedee-0398-4e3a-8183-6f3a89773a96
 3status: test
 4description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
 7    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
 8author: frack113
 9date: 2022/02/01
10tags:
11    - attack.defense_evasion
12    - attack.t1553.005
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - 'Mount-DiskImage '
21            - '-ImagePath '
22            - Get-Volume
23            - '.DriveLetter'
24            - 'invoke-item '
25            - '):\'
26    condition: selection
27falsepositives:
28    - Legitimate PowerShell scripts
29level: medium

References

Related rules

to-top