Detection rules › Splunk
ISO Image Mounted - Windows (PowerShell)
Threat actors such as APT29 have used ISO files to deliver malicious code to target systems. Normally, when a file is downloaded from the internet, Windows adds a Zone Identifier to identify the file's origin (known as mark-of-the-web or MOTW). Files stored with an ISO do not contain the Zone Identifier Alternate Data Stream, enabling MOTW bypass. This use case detects ISO images mounted on Windows systems
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
| Defense Impairment | T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass |
References
- https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns
- https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
- https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '20231.35922'
title: ISO Image Mounted - Windows
description: 'Threat actors such as APT29 have used ISO files to deliver malicious
code to target systems. Normally, when a file is downloaded from the internet, Windows
adds a Zone Identifier to identify the file''s origin (known as mark-of-the-web
or MOTW). Files stored with an ISO do not contain the Zone Identifier Alternate
Data Stream, enabling MOTW bypass. This use case detects ISO images mounted on Windows
systems. -- Threat Actor Association: Lazarus -- Atomics T1553.005 Test #1'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") (TERM(Mount-DiskImage
OR TERM(mdisk)) | table _time, host, user, process, process_*, parent_process_*
| bin span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:subvert trust controls:mark-of-the-web bypass
- execution:user execution:malicious file
technique_id:
- T1553.005
- T1204.002
data_category:
- PowerShell logs
references:
- https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns
- https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
- https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
Stages and Predicates
Stage 1: search
search EventCode=4103 EventCode=4104 source="*" source IN ("WinEventLog:Microsoft-Windows-PowerShell/Operational", "WinEventLog:Windows", "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational")
Stage 2: table
table _time, host, parent_process_*, process, process_*, user
Stage 3: bucket
bucket _time
Stage 4: stats
stats … AS values_all BY _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | "Mount-DiskImage OR TERM(mdisk" |