The hypothesis is that the creation of a recent file pointing to an ISO, IMG, VHD, or VHDX file indicates potential phishing activity where an adversary is attempting to mount a malicious image. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing attacks that leverage image files to deliver payloads.
Detection Rule
title: ISO or Image Mount Indicator in Recent Files
id: 4358e5a5-7542-4dcb-b9f3-87667371839b
status: test
description: |
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
references:
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
- https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
author: Florian Roth (Nextron Systems)
date: 2022-02-11
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.iso.lnk'
- '.img.lnk'
- '.vhd.lnk'
- '.vhdx.lnk'
TargetFilename|contains: '\Microsoft\Windows\Recent\'
condition: selection
falsepositives:
- Cases in which a user mounts an image file for legitimate reasons
level: medium
imFileEvent
| where (TargetFileName endswith ".iso.lnk" or TargetFileName endswith ".img.lnk" or TargetFileName endswith ".vhd.lnk" or TargetFileName endswith ".vhdx.lnk") and TargetFileName contains "\\Microsoft\\Windows\\Recent\\"Scenario: System Image Backup Creation
Description: A system administrator creates a system image backup using tools like DISM or wbadmin which generates .vhd or .vhdx files.
Filter/Exclusion: Exclude files created by wbadmin or DISM using the command line or scheduled task names containing “backup” or “image”.
Scenario: Virtual Machine Disk Mounting
Description: A user mounts a .vhd or .vhdx file using Hyper-V or VMware tools for virtual machine configuration or disk management.
Filter/Exclusion: Exclude files accessed by vmms.exe, vmrun.exe, or tasks related to Hyper-V management.
Scenario: ISO File for Software Deployment
Description: An IT admin uses an .iso file to deploy software via tools like PowerShell, MSIEXEC, or DISM for OS or application installation.
Filter/Exclusion: Exclude files accessed by msiexec.exe, powershell.exe, or tasks with “deployment” in their name.
Scenario: Scheduled Job for Disk Imaging
Description: A scheduled task runs a disk imaging tool like Acronis True Image or Macrium Reflect to create .img or .vhd files for backup.
Filter/Exclusion: Exclude files created by tasks with names like “Acronis Backup” or “Macrium Reflect” in the task scheduler.
Scenario: User Mounts ISO for Software Installation
Description: A user mounts an .iso file using tools like PowerISO, Daemon Tools, or the built-in Windows ISO mounter to install software.
Filter/Exclusion: Exclude files accessed by PowerISO.exe, DaemonTools.exe, or user-initiated mounts with