Adversaries may use ISO files as a delivery mechanism to execute malicious payloads by leveraging mounted ISOs to execute lnk files from non-C: drive locations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or payload delivery tactics that evade traditional detection methods.
KQL Query
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == 'BrowserLaunchedToOpenUrl'
| where RemoteUrl endswith ".lnk"
| where RemoteUrl !startswith "C:"
| project LNKLaunchTimestamp = Timestamp, DeviceName, RemoteUrl
| parse RemoteUrl with Drive '\\' *
| extend Drive= tostring(Drive)
| where isnotempty(Drive)
| join (
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FolderPath !startswith "C:"
| parse FolderPath with Drive '\\' *
| project Drive= tostring(Drive), StartedProcessTimestamp = Timestamp, StartedProcessName = FileName, StartedProcessSHA1 = SHA1, StartedProcessCommandline = ProcessCommandLine, StartedProcessPath = FolderPath, DeviceName, StartedProcessParentName = InitiatingProcessFileName, StartedProcessParentCmdline = InitiatingProcessCommandLine, StartedParentProcessFolderPath = InitiatingProcessFolderPath, StartedProcessGrandParent = InitiatingProcessParentFileName, Timestamp
) on DeviceName, Drive
| where StartedProcessTimestamp between (LNKLaunchTimestamp ..(LNKLaunchTimestamp+1m))
| project-away Drive1, DeviceName1
| project-reorder LNKLaunchTimestamp, StartedProcessTimestamp, DeviceName, RemoteUrl, Drive, StartedProcessName, StartedProcessSHA1, StartedProcessPath,StartedProcessCommandline, StartedProcessParentName, StartedProcessParentCmdline, StartedParentProcessFolderPath, StartedProcessGrandParent, Timestamp
id: 3539f855-611c-4787-b8a9-e3437f138805
name: anomalous-payload-delivered-from-iso-file
description: |
This query looks for lnk file executions from other locations than C: -drive, which can relate to mounted ISO-files.
Reference - https://threathunt.blog/detecting-a-payload-delivered-with-iso-files-using-mde/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceEvents
tactics:
- Execution
relevantTechniques:
- T1204.003
query: |
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == 'BrowserLaunchedToOpenUrl'
| where RemoteUrl endswith ".lnk"
| where RemoteUrl !startswith "C:"
| project LNKLaunchTimestamp = Timestamp, DeviceName, RemoteUrl
| parse RemoteUrl with Drive '\\' *
| extend Drive= tostring(Drive)
| where isnotempty(Drive)
| join (
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FolderPath !startswith "C:"
| parse FolderPath with Drive '\\' *
| project Drive= tostring(Drive), StartedProcessTimestamp = Timestamp, StartedProcessName = FileName, StartedProcessSHA1 = SHA1, StartedProcessCommandline = ProcessCommandLine, StartedProcessPath = FolderPath, DeviceName, StartedProcessParentName = InitiatingProcessFileName, StartedProcessParentCmdline = InitiatingProcessCommandLine, StartedParentProcessFolderPath = InitiatingProcessFolderPath, StartedProcessGrandParent = InitiatingProcessParentFileName, Timestamp
) on DeviceName, Drive
| where StartedProcessTimestamp between (LNKLaunchTimestamp ..(LNKLaunchTimestamp+1m))
| project-away Drive1, DeviceName1
| project-reorder LNKLaunchTimestamp, StartedProcessTimestamp, DeviceName, RemoteUrl, Drive, StartedProcessName, StartedProcessSHA1, StartedProcessPath,StartedProcessCommandline, StartedProcessParentName, StartedProcessParentCmdline, StartedParentProcessFolderPath, StartedProcessGrandParent, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate ISO Mounting for Software Installation
Description: An administrator mounts an ISO file to install a software update, and the system executes an .lnk file from the mounted ISO.
Filter/Exclusion: Exclude processes initiated by msiexec.exe or setup.exe from the C:\Windows\Temp directory, or filter by process.parent_process containing mountvol.exe or dism.exe.
Scenario: Scheduled Job Using ISO for Configuration Deployment
Description: A scheduled task runs a script that mounts an ISO and executes an .lnk file to apply configuration changes.
Filter/Exclusion: Exclude processes with taskhost.exe as the parent process, or filter by process.name containing schtasks.exe or at.exe.
Scenario: System Restore or Backup Tool Using ISO
Description: A backup tool like Veeam or Acronis mounts an ISO for restore operations, and an .lnk file is executed from the ISO.
Filter/Exclusion: Exclude processes with VeeamBackup.exe, AcronisTrueImage.exe, or similar backup tool names, or filter by process.parent_process containing mountvol.exe.
Scenario: Admin Task to Execute a Script from ISO
Description: An admin uses PowerShell or CMD to mount an ISO and run a script via an .lnk file as part of a maintenance task.
Filter/Exclusion: Exclude processes with powershell.exe or cmd.exe where the command line includes mountvol or dism, or filter by process.user being a known admin account.
Scenario: ISO Used for ISO-Based Boot Media Creation
Description: A system administrator creates boot media using an ISO file,