Suspicious Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Sigma rule (View on GitHub)

 1title: Suspicious Mount-DiskImage
 2id: 29e1c216-6408-489d-8a06-ee9d151ef819
 3status: test
 4description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
 7    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
 8author: frack113
 9date: 2022/02/01
10tags:
11    - attack.defense_evasion
12    - attack.t1553.005
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - 'Mount-DiskImage '
21            - '-ImagePath '
22    condition: selection
23falsepositives:
24    - Legitimate PowerShell scripts
25level: low

References

Related rules

to-top