legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction

t1566
windows
sigma

Techniques

t1566

Sample rules

Phishing Pattern ISO in Archive

source: sigma
technicques:
- t1566

Description

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

Detection logic

condition: selection
selection:
  Image|endswith:
  - \isoburn.exe
  - \PowerISO.exe
  - \ImgBurn.exe
  ParentImage|endswith:
  - \Winrar.exe
  - \7zFM.exe
  - \peazip.exe