EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Suspicious Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

MITRE ATT&CK

T1553.005
defense-evasion

Detection Query

selection:
  ScriptBlockText|contains|all:
    - "Mount-DiskImage "
    - "-ImagePath "
condition: selection

Author

frack113

Created

2022-02-01

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.defense-evasionattack.t1553.005
Raw Content
title: Suspicious Mount-DiskImage
id: 29e1c216-6408-489d-8a06-ee9d151ef819
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-evasion
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low