Phishing Pattern ISO in Archive
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
Sigma rule (View on GitHub)
1title: Phishing Pattern ISO in Archive
2id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1
3status: test
4description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
5references:
6 - https://twitter.com/1ZRR4H/status/1534259727059787783
7 - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
8author: Florian Roth (Nextron Systems)
9date: 2022/06/07
10tags:
11 - attack.initial_access
12 - attack.t1566
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith:
19 - '\Winrar.exe'
20 - '\7zFM.exe'
21 - '\peazip.exe'
22 Image|endswith:
23 - '\isoburn.exe'
24 - '\PowerISO.exe'
25 - '\ImgBurn.exe'
26 condition: selection
27falsepositives:
28 - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction
29level: high
References
Related rules
- Malicious QakBot Dropped File Creation (Event 4663)
- Search-ms and WebDAV Indicators in URL
- WebDAV Temporary Local File Creation
- Download From Suspicious TLD - Blacklist
- Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)