Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

VHD Image Download Via Browser

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Christopher Peacock, SCYTHECreated Mon Oct 25Updated Fri May 058468111a-ef07-4654-903b-b863a80bbc95windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\maxthon.exe'
            - '\MicrosoftEdge.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\opera.exe'
            - '\safari.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
            - '\whale.exe'
        # We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
        TargetFilename|contains: '.vhd'
    condition: selection
False Positives

Legitimate downloads of ".vhd" files would also trigger this

References
1
Resolving title…
redcanary.com
2
Resolving title…
kaspersky.com
3
Resolving title…
securelist.com
MITRE ATT&CK

Sub-techniques

T1587.001 · Malware
Rule Metadata
Rule ID
8468111a-ef07-4654-903b-b863a80bbc95
Status
test
Level
medium
Type
Detection
Created
Mon Oct 25
Modified
Fri May 05
Author
François Hubaut, Christopher Peacock, SCYTHE
Path
rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml
Raw Tags
attack.resource-developmentattack.t1587.001
View on GitHub