Suspicious Invoke-Item From Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
Sigma rule (View on GitHub)
1title: Suspicious Invoke-Item From Mount-DiskImage
2id: 902cedee-0398-4e3a-8183-6f3a89773a96
3status: test
4description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
7 - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
8author: frack113
9date: 2022/02/01
10tags:
11 - attack.defense_evasion
12 - attack.t1553.005
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'Mount-DiskImage '
21 - '-ImagePath '
22 - Get-Volume
23 - '.DriveLetter'
24 - 'invoke-item '
25 - '):\'
26 condition: selection
27falsepositives:
28 - Legitimate PowerShell scripts
29level: medium
References
Related rules
- Suspicious Mount-DiskImage
- Suspicious Unblock-File
- CMD Launching Batch Script Stored on External Drive (Chromeloader)
- Disable System Firewall
- Powershell Detect Virtualization Environment