Hunt for rare ISO files on devices
Rare ISO File
Query
let Threshold = 100;
DeviceFileEvents
// Extract the FileExtentsion from the filename
| extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName))
// Filter only on ISO files
| where FileExtension =~ 'iso'
// Do not filter on File Rename activities, since this does not change
the hash of the file.
| where ActionType != 'FileRenamed'
| where isnotempty(SHA1)
// Enrich file information
| invoke FileProfile("SHA1", 10000)
// Depending on your hunting activities you can alter the threshold for
applications that are less rare.
| where GlobalPrevalence <= Threshold
| project
DeviceName,
ActionType,
GlobalPrevalence,
GlobalFirstSeen,
FolderPath,
SHA1,
FileOriginUrl
| sort by GlobalPrevalence, SHA1About this query
Explanation
This query is designed to help identify rare ISO files on devices within an organization, which could potentially be used by adversaries to gain unauthorized access. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to find ISO files that are not commonly seen globally, as these could be suspicious and potentially harmful. ISO files are often used by attackers to hide malicious content.
-
Technique: It relates to a specific MITRE ATT&CK technique (T1553.005), which involves bypassing trust controls by using ISO files.
-
Process:
- The query starts by setting a threshold for rarity, defined as a global prevalence of less than 100. This means it looks for ISO files that are not widely distributed or recognized.
- It filters file events to focus only on ISO files, ignoring any file rename actions since renaming doesn't change the file's hash.
- It ensures that each file has a SHA1 hash, which is used to uniquely identify the file.
- The query enriches the file data with additional information using the
FileProfilefunction, which provides details about the file's prevalence and first appearance. - It filters the results to include only those ISO files that meet the rarity threshold.
- Finally, it organizes the output to show relevant details like the device name, action type, global prevalence, when the file was first seen globally, the file's location, its SHA1 hash, and the origin URL if available.
-
Output: The results are sorted by how rare the files are, helping security teams prioritize which files to investigate further.
-
Considerations: The query is designed for use with Microsoft Defender for Endpoint, as it relies on specific functions not available in other platforms like Sentinel. It also notes that some benign files, like certain Linux distributions, might appear as false positives due to their low global prevalence. These can be verified by checking the file's hash.
Overall, this query is a proactive measure to detect potentially malicious ISO files that could be used to compromise systems.
