topic Re: XQL - New attacks through ZIPs and ISOs in Cortex XDR Discussions

XQL - New attacks through ZIPs and ISOs

RFeyertag — Mon, 01 Aug 2022 10:43:38 GMT

Hello dear Community,

has someone of you a ready to implement XQL Query for downloading zip/rar/iso file containing a iso? The source can be outlook, etc.

I found a sigma rule based on:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_iso_file_mount.yml

I would be appreciate for some examples.

Rob

Re: XQL - New attacks through ZIPs and ISOs

afurze — Mon, 01 Aug 2022 16:33:31 GMT

Hi RFeyertag,

You can use XQL to create a BIOC for this

dataset = xdr_data | filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE) | filter action_file_path contains "\\AppData\\Local\\Temp\\" or action_file_path contains \"\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" | filter action_file_extension = "iso"

You can tweak this query to look for different extensions, change the file operation included (this query looks for file creation, or file write). You should do some testing to determine if it will fire when a user extracts an iso from a zip but I believe it will.

Re: XQL - New attacks through ZIPs and ISOs

JillianSagun — Mon, 01 Aug 2022 19:22:18 GMT

Hi Rob,

I have a different approach on this. Made a generic catch-all query for anything executed from a CD-ROM drive that is not digitally signed.

====

preset = xdr_process
| filter storage_device_drive_type = ENUM.DEVICE_CDROM and action_process_signature_status != enum.SIGNED
| comp count(action_process_image_path) as Hits by action_process_image_path, action_process_image_name , action_process_signature_status, action_process_image_sha256
| sort asc action_process_image_path
| dedup action_process_image_path
| dedup action_process_image_name by asc action_process_image_path
=====

This doesn't really answer the question fully, but with some baselining and a bit of elbow grease I think you can improve on this.

Ofc, outright blocking ISO's from mounting would be best, but meh.

Hope this helps!

Re: XQL - New attacks through ZIPs and ISOs

RFeyertag — Tue, 02 Aug 2022 14:36:37 GMT

Hello!

I tried to tweak it, with the initial query I didn't get any result. And with my tweaked one there was the same result.

Is there anything wrong with this query?

Rob

Re: XQL - New attacks through ZIPs and ISOs

RFeyertag — Tue, 02 Aug 2022 14:44:08 GMT

Is there any possibility to migrate this query into xql? Here it is working.

Rob

Re: XQL - New attacks through ZIPs and ISOs

JillianSagun — Tue, 02 Aug 2022 15:28:19 GMT

Not sure where the query went awry, maybe add in some case insensitivity?

Also, I have a personal grudge against "contains" but tested this one and it was able to pick up some iso's in the %temp% dir.

config case_sensitive = false
| dataset = xdr_data
| filter action_file_path in ("*\AppData\Local\Temp\*","*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\*")
| filter action_file_extension in ("img","iso","zip")

Re: XQL - New attacks through ZIPs and ISOs

RFeyertag — Fri, 05 Aug 2022 20:48:11 GMT

Thank you very much, this one worked like a charm 🙂

Rob