Adversaries may use a browser to download a VHD image to exfiltrate malicious payloads or establish a persistent presence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts leveraging compromised browser sessions.
Detection Rule
title: VHD Image Download Via Browser
id: 8468111a-ef07-4654-903b-b863a80bbc95
status: test
description: |
Detects creation of ".vhd"/".vhdx" files by browser processes.
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-10-25
modified: 2023-05-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
# We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
TargetFilename|contains: '.vhd'
condition: selection
falsepositives:
- Legitimate downloads of ".vhd" files would also trigger this
level: medium
imFileEvent
| where (TargetFilePath endswith "\\brave.exe" or TargetFilePath endswith "\\chrome.exe" or TargetFilePath endswith "\\firefox.exe" or TargetFilePath endswith "\\iexplore.exe" or TargetFilePath endswith "\\maxthon.exe" or TargetFilePath endswith "\\MicrosoftEdge.exe" or TargetFilePath endswith "\\msedge.exe" or TargetFilePath endswith "\\msedgewebview2.exe" or TargetFilePath endswith "\\opera.exe" or TargetFilePath endswith "\\safari.exe" or TargetFilePath endswith "\\seamonkey.exe" or TargetFilePath endswith "\\vivaldi.exe" or TargetFilePath endswith "\\whale.exe") and TargetFileName contains ".vhd"Scenario: System Update via Microsoft Endpoint Manager (Intune)
Description: A VHD image is downloaded as part of a system update deployment using Microsoft Endpoint Manager (Intune).
Filter/Exclusion: Check the User-Agent header for Intune-related agents (e.g., Microsoft Intune) or filter by IP ranges associated with Microsoft’s update services.
Scenario: Scheduled Backup Job Using Veeam Backup & Replication
Description: A scheduled backup job uses Veeam to download a VHD image from a remote server for backup purposes.
Filter/Exclusion: Filter by the Veeam backup service account or check the Process Name for VeeamBackup.exe or similar tools.
Scenario: Admin Task to Deploy a Virtual Machine via Hyper-V Manager
Description: An administrator manually creates a new virtual machine using Hyper-V Manager, which triggers a VHD image download.
Filter/Exclusion: Check the Process Name for vmms.exe or filter by the user account with administrative privileges (e.g., Administrator).
Scenario: User Accessing a Shared VHD File via File Explorer
Description: A user accesses a shared VHD file stored on a network share using File Explorer.
Filter/Exclusion: Filter by the File Path containing network shares (e.g., \\server\share\vhd\) or check the Process Name for explorer.exe.
Scenario: Automated Testing with VMware vCenter
Description: A test environment uses VMware vCenter to deploy a VHD image as part of an automated test script.
Filter/Exclusion: Filter by the Process Name for vmware-vim-cmd.exe or check the User-Agent for VMware-related tools.