Suspicious Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
Sigma rule (View on GitHub)
1title: Suspicious Mount-DiskImage
2id: 29e1c216-6408-489d-8a06-ee9d151ef819
3status: test
4description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
7 - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
8author: frack113
9date: 2022-02-01
10tags:
11 - attack.defense-evasion
12 - attack.t1553.005
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'Mount-DiskImage '
21 - '-ImagePath '
22 condition: selection
23falsepositives:
24 - Legitimate PowerShell scripts
25level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
Read More
Related rules
- Suspicious Invoke-Item From Mount-DiskImage
- Suspicious Unblock-File
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType