Detecting Virtual Drive Mounted From Archive

This query is designed to detect virtual drives mounted from archives. It helps identify instances where virtual drives are mounted from archives, which can indicate suspicious or malicious activity.

let DiskImageFileExtensions = dynamic(["iso", "img", "vhd", "vhdx", "wim"]);
DeviceFileEvents
| where FolderPath matches regex @"(?i)\\Users\\[^\\] +\\AppData\\Local\\Temp\\(.*)?"
| where FolderPath has_any("7zo", "Rar$", ".zip", "Temp1_")
| extend FileExtension = split(FileName, ".")[-1]
| where FileExtension in~(DiskImageFileExtensions)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, FileExtension
| order by Timestamp desc

Below is an extended version, including additional extensions.

let DiskImageFileExtensions = dynamic([
    "iso",
    "img",
    "vhd",
    "vhdx",
    "wim",
    "dmg",
    "vmdk",
    "bin",
    "cue",
    "nrg",
    "udf"
]);
DeviceFileEvents
| where FolderPath matches regex @"(?i)\\Users\\[^\\] +\\AppData\\Local\\Temp\\(.*)?"
| where FolderPath has_any("7zo", "Rar$", ".zip", "Temp1_")
| extend FileExtension = split(FileName, ".")[-1]
| where FileExtension in~(DiskImageFileExtensions)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath, FileName, FileExtension
| order by Timestamp desc

PreviousDetecting Low Prevalence DLL Loaded From Process In User Downloads Directory NextIdentify Execution of Script From User's Downloads Folder

Last updated 3 months ago