Adversaries may create ISO files in temporary folders to exfiltrate data or deploy malware, as seen in Qakbot activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or malware deployment attempts.
Detection Rule
title: ISO File Created Within Temp Folders
id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
status: test
description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
references:
- https://twitter.com/Sam0x90/status/1552011547974696960
- https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: '@sam0x90'
date: 2022-07-30
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_1:
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip\'
TargetFilename|endswith: '.iso'
selection_2:
TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
TargetFilename|endswith: '.iso'
condition: 1 of selection*
falsepositives:
- Potential FP by sysadmin opening a zip file containing a legitimate ISO file
level: high
imFileEvent
| where ((TargetFileName contains "\\AppData\\Local\\Temp\\" and TargetFileName contains ".zip\\") and TargetFileName endswith ".iso") or (TargetFileName contains "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" and TargetFileName endswith ".iso")Scenario: User creates ISO file for software installation
Description: A user may generate an ISO file as part of installing a legitimate software package, such as Microsoft Office or a system update.
Filter/Exclusion: Exclude files created by known legitimate tools like DISM (Deployment Imaging Servicing and Management) or msiexec.exe in the C:\Users\<User>\AppData\Local\Temp directory.
Scenario: System update or patching job generates ISO file
Description: A scheduled task or patching tool (e.g., Windows Update, SCCM, or WSUS) may create temporary ISO files during the update process.
Filter/Exclusion: Exclude files created by wusa.exe, dism.exe, or msiexec.exe in the C:\Windows\Temp directory.
Scenario: Admin uses PowerShell to create ISO for testing
Description: An administrator may use PowerShell or a script to generate an ISO file for testing purposes, such as creating a test environment or backup.
Filter/Exclusion: Exclude files created by PowerShell scripts or tools like MakeISO.exe in the C:\Windows\Temp or C:\Users\Admin\AppData\Local\Temp directories.
Scenario: Temporary ISO file generated by a legitimate application
Description: Some applications, such as virtualization tools (VMware, VirtualBox) or disk imaging tools, may create temporary ISO files during operation.
Filter/Exclusion: Exclude files created by vmrun.exe, VBoxManage.exe, or dd.exe in the C:\Users\<User>\AppData\Local\Temp directory.
Scenario: ISO file created during a backup or restore process
Description: Backup tools (e.g., Veeam, Acronis, or