Detectionhightest
ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection_1:
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip\'
TargetFilename|endswith: '.iso'
selection_2:
TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
TargetFilename|endswith: '.iso'
condition: 1 of selection*False Positives
Potential FP by sysadmin opening a zip file containing a legitimate ISO file
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
2f9356ae-bf43-41b8-b858-4496d83b2acb
Status
test
Level
high
Type
Detection
Created
Sat Jul 30
Author
Path
rules/windows/file/file_event/file_event_win_iso_file_mount.yml
Raw Tags
attack.initial-accessattack.t1566.001