Detection rules › Splunk
ISO Image Mounted - Windows (Windows Event Log)
Threat actors such as APT29 have used ISO files to deliver malicious code to target systems. Normally, when a file is downloaded from the internet, Windows adds a Zone Identifier to identify the file's origin (known as mark-of-the-web or MOTW). Files stored with an ISO do not contain the Zone Identifier Alternate Data Stream, enabling MOTW bypass. This use case detects ISO images mounted on Windows systems
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
| Defense Impairment | T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass |
References
- https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns
- https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
- https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4663 | An attempt was made to access an object. |
Rule body yaml
id: '20231.35920'
title: ISO Image Mounted - Windows
description: 'Threat actors such as APT29 have used ISO files to deliver malicious
code to target systems. Normally, when a file is downloaded from the internet, Windows
adds a Zone Identifier to identify the file''s origin (known as mark-of-the-web
or MOTW). Files stored with an ISO do not contain the Zone Identifier Alternate
Data Stream, enabling MOTW bypass. This use case detects ISO images mounted on Windows
systems. -- Threat Actor Association: Lazarus -- Atomics T1553.005 Test #1'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4663) OR
"<EventID>4663<") "Device\\CdRom" | where match(file_path, "(?i)\x5cDevice\x5cCdRom")
and not match(file_path, "\x5cDevice\x5cCdRom0\x5csetup\.exe")| table _time, host,
user, process, process_*, parent_process_* | bin span=1s | stats values(*) as *
by _time, host '
techniques:
- defense-evasion:subvert trust controls:mark-of-the-web bypass
- execution:user execution:malicious file
technique_id:
- T1553.005
- T1204.002
data_category:
- Windows event logs
references:
- https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns
- https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
- https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4663) OR "<EventID>4663<") "Device\\CdRom"
Stage 2: where
| where match(file_path, "(?i)\x5cDevice\x5cCdRom") and not match(file_path, "\x5cDevice\x5cCdRom0\x5csetup\.exe")
Stage 3: table
| table _time, host, user, process, process_*, parent_process_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
file_path | match | "\x5cDevice\x5cCdRom0\x5csetup\.exe" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4663<" |
| 1 | "Device\\CdRom" |