LoFP LoFP / potential fp by sysadmin opening a zip file containing a legitimate iso file

Techniques

Sample rules

ISO File Created Within Temp Folders

Description

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Detection logic

condition: 1 of selection*
selection_1:
  TargetFilename|contains|all:
  - \AppData\Local\Temp\
  - .zip\
  TargetFilename|endswith: .iso
selection_2:
  TargetFilename|contains: \AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\
  TargetFilename|endswith: .iso