Windows.Detection.ISOMount

Following Microsoft’s decision to block macros by default on MS Office applications, threat actors are increasingly using container files such as ISO files to distribute malware. This artifact will extract evidence of .iso files being mounted that may be malicious from the Microsoft-Windows-VHDMP-Operational EventLog. The artifact targets the string “.iso” in event IDs: 1 (mount), 2 (unmount) and 12 (type, path, handle).

name: Windows.Detection.ISOMount
author: Conor Quinn - @ConorQuinn92, updated Matt Green - @mgreen27
description: |
   Following Microsoft's decision to block macros by default on MS Office applications, threat actors are increasingly using container files such as ISO files to distribute malware. 
   This artifact will extract evidence of .iso files being mounted that may be malicious from the Microsoft-Windows-VHDMP-Operational EventLog. 
   The artifact targets the string ".iso" in event IDs: 1 (mount), 2 (unmount) and 12 (type, path, handle).
   
reference:
  - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
  - https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world 

parameters:
   - name: TargetGlob
     default: '%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx'
   - name: TargetImageRegex
     default: 'C:\\Users\\.+\.(iso|vhd|vhdx|img)$'
     type: regex
   - name: TargetVSS
     type: bool

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      SELECT EventTime,
             Computer,
             Username,
             Channel,
             EventID,
             EventRecordID,
             Message,
             EventData,
             regex_replace(source=EventData.VhdFileName, re='''\\\\\?\\''', replace='') AS Filename,
             FullPath
      FROM Artifact.Windows.EventLogs.EvtxHunter(
        EvtxGlob=TargetGlob,
        IdRegex='^(1|2|12|22|23)$',
        SearchVSS=TargetVSS)
        WHERE EventData.VhdFileName =~ TargetImageRegex

    notebook:
      - type: vql_suggestion
        name: ImageMount hunt summary
        template: |
          /*
          # ImageMount hunt summary

          This notebook stacks by Computer and Filename modify as required
          */
          SELECT 
            min(item=EventTime) as EarliestTime,
            max(item=EventTime) as LatestTime,
            Computer, Username, EventID,Message,
            Filename,
            count() as Total
          FROM source(artifact="Exchange.Windows.Detection.ISOMount")
          GROUP BY Computer,Username, EventID, Filename