Phishing Pattern ISO in Archive

calendar Aug 12, 2024 · attack.initial-access attack.t1566  ·
Share on: linkedin copy

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

Sigma rule (View on GitHub)

 1title: Phishing Pattern ISO in Archive
 2id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1
 3status: test
 4description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
 5references:
 6    - https://twitter.com/1ZRR4H/status/1534259727059787783
 7    - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
 8author: Florian Roth (Nextron Systems)
 9date: 2022-06-07
10tags:
11    - attack.initial-access
12    - attack.t1566
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith:
19            - '\Winrar.exe'
20            - '\7zFM.exe'
21            - '\peazip.exe'
22        Image|endswith:
23            - '\isoburn.exe'
24            - '\PowerISO.exe'
25            - '\ImgBurn.exe'
26    condition: selection
27falsepositives:
28    - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction
29level: high

References

Related rules

to-top