Device Detect UR Lopenedfrom IS Ofile

//Detect when a user mounts an ISO file and then within 20 minutes launches a browser. These events could be unrelated because a BrowserLaunchedToOpenUrl event doesn't confirm if the lnk file was in the ISO file. //The detection is just based on time between mounting an ISO file and then launching a URL. //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query //Find events where an ISO file is mounted by detecting the creation of a .iso.lnk file DeviceFileEvents | where TimeGenerated > ago(1d) | where ActionType == "FileCreated" //This may create some false positives with files named iso.lnk at the end like summary-ciso.lnk | where FileName endswith "iso.lnk" | project ISOMountTime=TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessAccountName //Join to our DeviceEvents where a browser is opened to launch a URL | join kind=inner( DeviceEvents | where TimeGenerated > ago(1d) | where ActionType == "BrowserLaunchedToOpenUrl" //Find only RemoteURLs that are web sites | where RemoteUrl startswith "http" | project URLOpenTime=TimeGenerated, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort ) on DeviceName, InitiatingProcessAccountName //Find browser opened to URL events that happened within 20 minutes of the ISO file being mounted | where URLOpenTime between ((ISOMountTime - timespan(0min)) .. (ISOMountTime + timespan(20min))) | extend ['ISO FileName'] = trim(@".lnk", FileName) | project ISOMountTime, URLOpenTime, ['ISO FileName'], DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceFileEvents | where Timestamp > ago(1d) | where ActionType == "FileCreated" //This may create some false positives with files named iso.lnk at the end like summary-ciso.lnk | where FileName endswith "iso.lnk" | project ISOMountTime=Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName //Join to our DeviceEvents where a browser is opened to launch a URL | join kind=inner( DeviceEvents | where Timestamp > ago(1d) | where ActionType == "BrowserLaunchedToOpenUrl" //Find only RemoteURLs that are web sites | where RemoteUrl startswith "http" | project URLOpenTime=Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort ) on DeviceName, InitiatingProcessAccountName //Find browser opened to URL events that happened within 20 minutes of the ISO file being mounted | where URLOpenTime between ((ISOMountTime - timespan(0min)) .. (ISOMountTime + timespan(20min))) | extend ['ISO FileName'] = trim(@".lnk", FileName) | project ISOMountTime, URLOpenTime, ['ISO FileName'], DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

Explanation

This query is designed to detect when a user mounts an ISO file and then launches a browser within 20 minutes. It looks for events where a .iso.lnk file is created, indicating the mounting of an ISO file. It then joins this information with events where a browser is opened to launch a URL. The query filters for browser events that occurred within 20 minutes of the ISO file being mounted. The results include the timestamps of the ISO file mounting and browser opening, the file name of the ISO file, device information, the user account that initiated the events, and details of the opened URL.

Details

Matt Zorich

Released: June 17, 2022

Tables

DeviceFileEventsDeviceEvents

Keywords

DeviceFileEvents,TimeGenerated,ActionType,FileName,FolderPath,InitiatingProcessAccountName,DeviceEvents,RemoteUrl,RemoteIP,RemotePort,Timestamp,DeviceName,URLOpenTime,['ISOFileName']

Operators

KQL Search