Detection rules › Splunk
ISO File in Temp Folder (Windows Event Log)
Threat actors may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This use case detects file events involving AppData Temp folder locations involving zip and ISO files, as observed with Qakbot from end of July 2022. Event 4656 and/or 4663 are required for detection. To specifically audit file creations, enable object access auditing and configure auditing on the directories \AppData\Local\Temp and AppData\Local\Microsoft\Windows\INetCache\Content.Outlook'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4656 | A handle to an object was requested. |
| Security-Auditing | Event ID 4663 | An attempt was made to access an object. |
Rule body yaml
id: '23357.42539'
title: ISO File in Temp Folder
description: Threat actors may rely upon a user opening a malicious file in order
to gain execution. Users may be subjected to social engineering to get them to open
a file that will lead to code execution. This use case detects file events involving
AppData Temp folder locations involving zip and ISO files, as observed with Qakbot
from end of July 2022. Event 4656 and/or 4663 are required for detection. To specifically
audit file creations, enable object access auditing and configure auditing on the
directories \AppData\Local\Temp and AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4656) OR
"<EventID>4656<" OR TERM(EventCode=4663) OR "<EventID>4663<") ("\\AppData\\Local\\Temp"
OR "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content\\Outlook") ".zip" ".iso"
| where match(process_path, "(?i)(\x5cAppData\x5cLocal\x5cMicrosoft\x5cWindows\x5cINetCache\x5cContent\.Outlook|\x5cAppData\x5cLocal\x5cTemp).*\.zip\x5c")
and match(ObjectName, "(?i)\.iso($|\")") | table _time, host, user, signature_id,
process, process_*, parent_* | bin span=1s | stats values(*) as * by _time, host '
techniques:
- execution:user execution:malicious file
technique_id:
- T1204.002
data_category:
- Windows event logs
references:
- https://www.microsoft.com/en-us/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4656) OR "<EventID>4656<" OR TERM(EventCode=4663) OR "<EventID>4663<") ("\\AppData\\Local\\Temp" OR "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content\\Outlook") ".zip" ".iso"
Stage 2: where
| where match(process_path, "(?i)(\x5cAppData\x5cLocal\x5cMicrosoft\x5cWindows\x5cINetCache\x5cContent\.Outlook|\x5cAppData\x5cLocal\x5cTemp).*\.zip\x5c") and match(ObjectName, "(?i)\.iso($|\")")
Stage 3: table
| table _time, host, user, signature_id, process, process_*, parent_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ObjectName | match |
|
process_path | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4656<" |
| 1 | TERM |
| 1 | "<EventID>4663<" |
| 1 | "\\AppData\\Local\\Temp" |
| 1 | "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content\\Outlook" |
| 1 | ".zip" |
| 1 | ".iso" |