Adversaries may load malicious images as part of initial compromise or persistence, leveraging Azure container environments to evade traditional detection. SOC teams should proactively hunt for this behavior to identify and mitigate potential IcedId malware activity in their cloud infrastructure.
KQL Query
DeviceImageLoadEvents
| where InitiatingProcessFileName in~ ('rundll32.exe','regsvr32.exe')
| where FileName endswith '.txt' or FileName endswith '.pdf'
id: b64c8a59-94ad-4659-b95e-36238312da5c
name: Suspicious Image Load related to IcedId
description: |
Use this query to locate suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to ransomware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceImageLoadEvents
tactics:
- Execution
- Ransomware
query: |
DeviceImageLoadEvents
| where InitiatingProcessFileName in~ ('rundll32.exe','regsvr32.exe')
| where FileName endswith '.txt' or FileName endswith '.pdf'
| Sentinel Table | Notes |
|---|---|
DeviceImageLoadEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Image Load via dism for Windows Updates
Description: A system administrator uses the dism tool to apply a Windows image update, which may trigger image-related detection logic.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the command line includes dism /online /apply-image.
Scenario: Scheduled Job for Backup Image Creation
Description: A backup tool like Veeam or Acronis creates a disk image as part of a scheduled backup job.
Filter/Exclusion: Exclude processes where the command line includes backup or snapshot and the process is initiated by a scheduled task with a known backup service account.
Scenario: Admin Task to Deploy a New OS Image via SCCM
Description: A System Center Configuration Manager (SCCM) task deploys a new operating system image to a set of endpoints.
Filter/Exclusion: Exclude processes where the parent process is ccmexec.exe and the command line includes osimage or deploy.
Scenario: User-Initiated Disk Image Mounting for Data Access
Description: A user mounts a disk image using tools like Mount Image in Windows or loopback in Linux to access data.
Filter/Exclusion: Exclude processes where the user is a domain admin and the command line includes mount or mount-image, or the file path is known to be a legitimate image file.
Scenario: Image Processing by a Security Tool (e.g., ESET, Bitdefender)
Description: A security tool temporarily loads an image file as part of its analysis or sandboxing process.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., `esetui.exe