Add win_vhdmp_mount_iso

rules/windows/builtin/vhdmp/win_vhdmp_mount_iso.yml

@@ -0,0 +1,23 @@
+title: Windows Iso Mount
+id: ff7ff483-79ab-4434-bbbb-6e1b2b5b0cce
+status: experimental
+description: Detects a ISO file has been mount in explorer
+references:
+    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
+author: frack113
+date: 2023/01/09
+tags:
+    - attack.initial_access 
+logsource:
+    product: windows
+    service: vhdmp
+detection:
+    selection:
+        EventID:
+            - 1
+            - 12
+            - 25
+    condition: selection
+falsepositives:
+    - Unknown 
+level: medium

tests/logsource.json

@@ -86,7 +86,8 @@
                 "dns-server":[],
                 "printservice-admin":[],
                 "msexchange-management":[],
-                "applocker":[]
+                "applocker":[],
+				"vhdmp":[]
             }
         },
         "linux":{

tools/config/elk-windows.yml

@@ -114,4 +114,9 @@ logsources:
     service: bitlocker
     conditions:
       EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      EventLog: 'Microsoft-Windows-VHDMP-Operational'
 defaultindex: logstash-*

tools/config/elk-winlogbeat-sp.yml

@@ -114,6 +114,11 @@ logsources:
     service: bitlocker
     conditions:
       log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      log_name: 'Microsoft-Windows-VHDMP-Operational'
 defaultindex: <winlogbeat-{now/d}>
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/elk-winlogbeat.yml

@@ -114,6 +114,11 @@ logsources:
     service: bitlocker
     conditions:
       logname: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      logname: 'Microsoft-Windows-VHDMP-Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/fireeye-helix.yml

@@ -142,6 +142,11 @@ logsources:
         service: bitlocker
         conditions:
             channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
+    windows-vhdmp-operational:
+        product: windows
+        service: vhdmp
+        conditions:
+            channel: 'Microsoft-Windows-VHDMP-Operational'
     linux:
         product: linux
         index: posix

tools/config/generic/windows-services.yml

@@ -192,4 +192,10 @@ logsources:
         product: windows
         service: ldap_debug
         conditions:
-            Provider_Name: 'Microsoft-Windows-LDAP-Client/Debug'
+            Provider_Name: 'Microsoft-Windows-LDAP-Client/Debug'
+    windows-vhdmp-operational:
+        product: windows
+        service: vhdmp
+        conditions:
+            Provider_Name: 'Microsoft-Windows-VHDMP-Operational'
+            

tools/config/hawk.yml

@@ -128,6 +128,11 @@ logsources:
    service: bits-client
    conditions:
      event_channel: "Microsoft-Windows-Bits-Client/Operational"
+ windows-vhdmp-operational:
+   product: windows
+   service: vhdmp
+   conditions:
+     event_channel: 'Microsoft-Windows-VHDMP-Operational'
  windows-network-connection:
    product: windows
    category: network_connection

tools/config/logpoint-windows.yml

@@ -114,6 +114,11 @@ logsources:
     service: bitlocker
     conditions:
       event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      event_source: 'Microsoft-Windows-VHDMP-Operational'
 fieldmappings:
     EventID: event_id
     FailureCode: result_code

tools/config/logstash-windows.yml

@@ -135,4 +135,9 @@ logsources:
     service: bitlocker
     conditions:
       Channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      Channel: 'Microsoft-Windows-VHDMP-Operational'
 defaultindex: logstash-*

tools/config/powershell.yml

@@ -155,4 +155,9 @@ logsources:
     product: windows
     service: bitlocker
     conditions:
-      LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'
+      LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      LogName: 'Microsoft-Windows-VHDMP-Operational'

tools/config/splunk-windows.yml

@@ -176,5 +176,10 @@ logsources:
     service: windefend
     conditions:
       source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      source: 'Microsoft-Windows-VHDMP-Operational'
 fieldmappings:
   EventID: EventCode

tools/config/sumologic.yml

@@ -145,6 +145,11 @@ logsources:
     service: bitlocker
     conditions:
       source: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      source: 'Microsoft-Windows-VHDMP-Operational'
   apache:
     service: apache
     index: WEBSERVER

tools/config/thor.yml

@@ -419,6 +419,11 @@ logsources:
     service: bitlocker
     sources:
       - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp:
+    product: windows
+    service: vhdmp
+    sources:
+      - 'Microsoft-Windows-VHDMP-Operational'
   apache:
     category: webserver
     sources:

tools/config/winlogbeat-modules-enabled.yml

@@ -159,6 +159,11 @@ logsources:
     service: bitlocker
     conditions:
       winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      winlog_channel: 'Microsoft-Windows-VHDMP-Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'

tools/config/winlogbeat-old.yml

@@ -122,6 +122,11 @@ logsources:
     service: bitlocker
     conditions:
       log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      log_name: 'Microsoft-Windows-VHDMP-Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/winlogbeat.yml

@@ -148,6 +148,11 @@ logsources:
     service: bitlocker
     conditions:
       winlog.channel: 'bitlocker'
+  windows-vhdmp-operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      winlog_channel: 'Microsoft-Windows-VHDMP-Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'

tools/config/zircolite.yml

@@ -113,4 +113,9 @@ logsources:
     product: windows
     service: bits-client
     conditions:
-      Channel: 'Microsoft-Windows-Bits-Client/Operational' 
+      Channel: 'Microsoft-Windows-Bits-Client/Operational' 
+  windows-vhdmp-Operational:
+    product: windows
+    service: vhdmp
+    conditions:
+      Channel: 'Microsoft-Windows-VHDMP-Operational'