Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-01-2022 03:43 AM
Hello dear Community,
has someone of you a ready to implement XQL Query for downloading zip/rar/iso file containing a iso? The source can be outlook, etc.
I found a sigma rule based on:
I would be appreciate for some examples.
BR
Rob
08-02-2022 08:28 AM
Not sure where the query went awry, maybe add in some case insensitivity?
Also, I have a personal grudge against "contains" but tested this one and it was able to pick up some iso's in the %temp% dir.
config case_sensitive = false
| dataset = xdr_data
| filter action_file_path in ("*\AppData\Local\Temp\*","*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\*")
| filter action_file_extension in ("img","iso","zip")
08-01-2022 09:33 AM
Hi RFeyertag,
You can use XQL to create a BIOC for this
dataset = xdr_data
| filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE)
| filter action_file_path contains "\\AppData\\Local\\Temp\\" or action_file_path contains \"\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\"
| filter action_file_extension = "iso"
You can tweak this query to look for different extensions, change the file operation included (this query looks for file creation, or file write). You should do some testing to determine if it will fire when a user extracts an iso from a zip but I believe it will.
08-01-2022 12:22 PM
Hi Rob,
I have a different approach on this. Made a generic catch-all query for anything executed from a CD-ROM drive that is not digitally signed.
====
preset = xdr_process
| filter storage_device_drive_type = ENUM.DEVICE_CDROM and action_process_signature_status != enum.SIGNED
| comp count(action_process_image_path) as Hits by action_process_image_path, action_process_image_name , action_process_signature_status, action_process_image_sha256
| sort asc action_process_image_path
| dedup action_process_image_path
| dedup action_process_image_name by asc action_process_image_path
=====
This doesn't really answer the question fully, but with some baselining and a bit of elbow grease I think you can improve on this.
Ofc, outright blocking ISO's from mounting would be best, but meh.
Hope this helps!
08-02-2022 07:36 AM
Hello!
I tried to tweak it, with the initial query I didn't get any result. And with my tweaked one there was the same result.
Is there anything wrong with this query?
BR
Rob
08-02-2022 07:44 AM
Is there any possibility to migrate this query into xql? Here it is working.
BR
Rob
08-02-2022 08:28 AM
Not sure where the query went awry, maybe add in some case insensitivity?
Also, I have a personal grudge against "contains" but tested this one and it was able to pick up some iso's in the %temp% dir.
config case_sensitive = false
| dataset = xdr_data
| filter action_file_path in ("*\AppData\Local\Temp\*","*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\*")
| filter action_file_extension in ("img","iso","zip")
08-05-2022 01:48 PM
Thank you very much, this one worked like a charm 🙂
BR
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
