detection.wiki

Detection rules › Kusto

Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint)

Author
Cyb3rMonk
Source
github.com/Cyb3r-Monk/Threat-Hunting-and-Detection

ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:

MITRE ATT&CK coverage

TacticTechniques
Initial AccessNo specific technique

Event coverage

ProviderEvent/ActionTypeTitle
SysmonEvent ID 11FileCreate
SysmonEvent ID 13RegistryEvent (Value Set)
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Defender-DeviceFileEventsanyFile activity (any)
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set

Rule body kusto

// Author: Cyb3rMonk(https://twitter.com/Cyb3rMonk, https://mergene.medium.com)
// Link to original post:
// Part-1: https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-1-c4f953edd13f?source=friends_link&sk=e685d7d44928edd142972a4041463f10
// Part-2: https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-2-f8dd600430e2?source=friends_link&sk=38b7cd310a4929c25d3eefc545683d5f
//
//
// Query parameters:
let lookback = 1h;
// Get ISO mount events
DeviceFileEvents
| where Timestamp > ago(lookback)
| where FileName endswith ".iso.lnk" or FileName endswith ".img.lnk"
// Exclude servers and workstation used by IT admins if needed.

// Author: Cyb3rMonk(https://twitter.com/Cyb3rMonk, https://mergene.medium.com)
// Link to original post:
// Part-1: https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-1-c4f953edd13f?source=friends_link&sk=e685d7d44928edd142972a4041463f10
// Part-2: https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-2-f8dd600430e2?source=friends_link&sk=38b7cd310a4929c25d3eefc545683d5f
//
//
// Query parameters:
let lookback = 1h;
// Get mounted devices and extract the folder name
DeviceRegistryEvents
| where Timestamp > ago(lookback)
| where ActionType == "RegistryValueSet" and RegistryKey == @"HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices" and RegistryValueName startswith @"\DosDevices\"
| extend Folder = toupper(replace(@'\\DosDevices\\(\w:)',@'\1',RegistryValueName)) // Extract the folder name
// Get process creations that have the mounted image as the FolderPath
| join kind=inner 
    (
    DeviceProcessEvents
    | where Timestamp > ago(lookback)
    | extend Folder = toupper(replace(@'(\w:)\\.*',@'\1',FolderPath))
    ) on DeviceId, Folder
// If needed, exclude servers from the results.

// Author: Cyb3rMonk(https://twitter.com/Cyb3rMonk, https://mergene.medium.com)
// Link to original post:
// Part-1: https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-1-c4f953edd13f?source=friends_link&sk=e685d7d44928edd142972a4041463f10
// Part-2: https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-2-f8dd600430e2?source=friends_link&sk=38b7cd310a4929c25d3eefc545683d5f
//
//
// Query parameters:
let lookback = 1h;
// Get mounted devices and extract the folder name
DeviceRegistryEvents
| where Timestamp > ago(lookback)
| where ActionType == "RegistryValueSet" and RegistryKey == @"HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices" and RegistryValueName startswith @"\DosDevices\"
| extend Folder = toupper(replace(@'\\DosDevices\\(\w:)',@'\1',RegistryValueName)) // Extract the folder name
// Get network connections of processes that have the mounted image as the InitiatingProcessFolderPath
| join kind=inner 
    (
    DeviceNetworkEvents
    | where Timestamp > ago(lookback)
    | extend Folder = toupper(replace(@'(\w:)\\.*',@'\1',InitiatingProcessFolderPath))
    ) on DeviceId, Folder
// If needed, exclude the legitimate activity and servers

Stages and Predicates

Parameters

let lookback = 1h;

Stage 1: source

DeviceFileEvents

Stage 2: where

| where Timestamp > ago(lookback)

Stage 3: where

| where FileName endswith ".iso.lnk" or FileName endswith ".img.lnk"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
FileNameends_with
  • .img.lnk
  • .iso.lnk