XQL - New attacks through ZIPs and ISOs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL - New attacks through ZIPs and ISOs

L4 Transporter

Hello dear Community, 

 

has someone of you a ready to implement XQL Query for downloading zip/rar/iso file containing a iso? The source can be outlook, etc.

I found a sigma rule based on:

 

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_iso_file_mount....

 

I would be appreciate for some examples. 

 

BR

Rob

1 accepted solution

Accepted Solutions

L1 Bithead

Not sure where the query went awry, maybe add in some case insensitivity?


Also, I have a personal grudge against "contains" but tested this one and it was able to pick up some iso's in the %temp% dir.

config case_sensitive = false
| dataset = xdr_data
| filter action_file_path in ("*\AppData\Local\Temp\*","*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\*")
| filter action_file_extension in ("img","iso","zip")

Jill

View solution in original post

6 REPLIES 6

L4 Transporter

Hi RFeyertag,

 

You can use XQL to create a BIOC for this

 

dataset = xdr_data
| filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE)
| filter action_file_path contains "\\AppData\\Local\\Temp\\" or action_file_path contains \"\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\"
| filter action_file_extension = "iso"

 

You can tweak this query to look for different extensions, change the file operation included (this query looks for file creation, or file write).  You should do some testing to determine if it will fire when a user extracts an iso from a zip but I believe it will.

L1 Bithead

Hi Rob,

 

I have a different approach on this. Made a generic catch-all query for anything executed from a CD-ROM drive that is not digitally signed.

 

====

preset = xdr_process
| filter storage_device_drive_type = ENUM.DEVICE_CDROM and action_process_signature_status != enum.SIGNED
| comp count(action_process_image_path) as Hits by action_process_image_path, action_process_image_name , action_process_signature_status, action_process_image_sha256
| sort asc action_process_image_path
| dedup action_process_image_path
| dedup action_process_image_name by asc action_process_image_path
=====

 

This doesn't really answer the question fully, but with some baselining and a bit of elbow grease I think you can improve on this.

 

Ofc, outright blocking ISO's from mounting would be best, but meh.

 

Hope this helps!

Jill

Hello! 

 

I tried to tweak it, with the initial query I didn't get any result. And with my tweaked one there was the same result. 

 

RFeyertag_0-1659450704453.png

 

RFeyertag_1-1659450775649.png

RFeyertag_2-1659450811041.png

 

RFeyertag_3-1659450891232.png

 

RFeyertag_4-1659450910720.png

Is there anything wrong with this query? 

 

BR

 

Rob

 

Is there any possibility to migrate this query into xql? Here it is working. 

 

 

RFeyertag_6-1659451433942.png

 

BR

 

Rob

 

L1 Bithead

Not sure where the query went awry, maybe add in some case insensitivity?


Also, I have a personal grudge against "contains" but tested this one and it was able to pick up some iso's in the %temp% dir.

config case_sensitive = false
| dataset = xdr_data
| filter action_file_path in ("*\AppData\Local\Temp\*","*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\*")
| filter action_file_extension in ("img","iso","zip")

Jill

Thank you very much, this one worked like a charm 🙂


BR

 

Rob

  • 1 accepted solution
  • 4013 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!