Windows.Detection.ISOMount :: Velociraptor

Windows.Detection.ISOMount

Following Microsoft’s decision to block macros by default on MS Office applications, threat actors are increasingly using container files such as ISO files to distribute malware. This artifact will extract evidence of container files being mounted that may be malicious from the Microsoft-Windows-VHDMP-Operational EventLog. The artifact targets the string “.(iso|vhd|vhdx|img)$” in event IDs: 1 (mount), 2 (unmount) and 12 (type, path, handle).


name: Windows.Detection.ISOMount
author: Conor Quinn - @ConorQuinn92, updated Matt Green - @mgreen27
description: |
   Following Microsoft's decision to block macros by default on MS
   Office applications, threat actors are increasingly using container
   files such as ISO files to distribute malware.  This artifact will
   extract evidence of container files being mounted that may be
   malicious from the Microsoft-Windows-VHDMP-Operational EventLog.
   The artifact targets the string ".(iso|vhd|vhdx|img)$" in event
   IDs: 1 (mount), 2 (unmount) and 12 (type, path, handle).

reference:
  - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
  - https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world

parameters:
   - name: TargetGlob
     default: '%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx'
   - name: TargetImageRegex
     default: 'C:\\Users\\.+\.(iso|vhd|vhdx|img)$'
     type: regex
   - name: VSSAnalysisAge
     type: int
     default: 0
     description: |
       If larger than zero we analyze VSS within this many days
       ago. (e.g 7 will analyze all VSS within the last week).  Note
       that when using VSS analysis we have to use the ntfs accessor
       for everything which will be much slower.

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      SELECT EventTime,
             Computer,
             Username,
             Channel,
             EventID,
             EventRecordID,
             Message,
             EventData,
             regex_replace(source=EventData.VhdFileName, re='''\\\\\?\\''', replace='') AS Filename,
             FullPath
      FROM Artifact.Windows.EventLogs.EvtxHunter(
        EvtxGlob=TargetGlob,
        IdRegex='^(1|2|12|22|23)$',
        VSSAnalysisAge=VSSAnalysisAge)
        WHERE EventData.VhdFileName =~ TargetImageRegex

    notebook:
      - type: vql_suggestion
        name: ImageMount hunt summary
        template: |
          /*
          # ImageMount hunt summary

          This notebook stacks by Computer and Filename modify as required
          */
          SELECT
            min(item=EventTime) as EarliestTime,
            max(item=EventTime) as LatestTime,
            Computer, Username, EventID,Message,
            Filename,
            count() as Total
          FROM source(artifact="Exchange.Windows.Detection.ISOMount")
          GROUP BY Computer,Username, EventID, Filename