KQL Search

Query Details

HomeAI ToolsDevice Query

Rare ISO File

Query

# Hunt for rare ISO files on devices

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | https://attack.mitre.org/techniques/T1553/005/ |

#### Description
Adversaries may use ISO files to obfuscate their malicious intentions and gain initail access. Those files may be send via mail. A common Actor that sends ISO attachments is Lokibot. To reduce the attack surface consider disabling auto mounting of disk images. This hunting query lets you search for rare ISO files in your organisation. The threshold for the query is that the ISO file has a global prevalence of less then 100, this can be adjusted to your needs. This query does not look for mounted ISO files, it only searches for ISO files on disk. 

A false positive would be a benign file that has a low global prevalance, for example some Linux distros. This can be validated via the hash if the file is indeed benign.

Note that this query can only be executed on Defender For Endpoint, since the function FileProfile() is not supported in Sentinel.

#### Risk
A actor can use a malicious mounted ISO to gain initial access.

#### References
- https://redcanary.com/blog/iso-files/
- https://www.bleepingcomputer.com/news/security/uptick-seen-in-iso-email-attachments-delivering-malware/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/automount
- https://www.cisa.gov/uscert/ncas/alerts/aa20-266a

## Defender For Endpoint
```
let Threshold = 100;
DeviceFileEvents
// Extract the FileExtentsion from the filename
| extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName))
// Filter only on ISO files
| where FileExtension =~ 'iso'
// Do not filter on File Rename activities, since this does not change 
the hash of the file.
| where ActionType != 'FileRenamed'
| where isnotempty(SHA1)
// Enrich file information
| invoke FileProfile("SHA1", 10000)
// Depending on your hunting activities you can alter the threshold for 
applications that are less rare.
| where GlobalPrevalence <= Threshold
| project
     DeviceName,
     ActionType,
     GlobalPrevalence,
     GlobalFirstSeen,
     FolderPath,
     SHA1,
     FileOriginUrl
| sort by GlobalPrevalence, SHA1
```

Explanation

This query is used to hunt for rare ISO files on devices in an organization. ISO files can be used by adversaries to hide malicious intentions and gain initial access. The query searches for ISO files on disk that have a global prevalence of less than 100. The threshold can be adjusted as needed. It does not search for mounted ISO files. The query can only be executed on Defender For Endpoint. The risk is that a malicious mounted ISO file can be used to gain initial access.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceFileEvents

Keywords

Devices,Intune,User,ISOfiles

Operators

extendwhereisnotemptyinvokeprojectsort

Actions