
Summary
This detection rule identifies potentially suspicious use of the PowerShell command `Invoke-Item` in conjunction with the `Mount-DiskImage` cmdlet, which may indicate an adversary attempting to execute a malicious payload from a mounted container file such as an ISO image. The use of container files to deliver malware is a known technique to bypass security measures, especially when the files are not marked as potentially harmful (e.g., lacking a Mark of the Web, MOTW). The rule observes script block logs for specific patterns in the execution of PowerShell commands that indicate mounting disk images and invoking items from them. If any of the specified elements are detected in the PowerShell command execution, the rule triggers an alert. This serves to provide an essential preventative layer against abuses of PowerShell that facilitate defense evasion by malicious actors.
Categories
- Windows
Data Sources
- Script
ATT&CK Techniques
- T1553.005
Created: 2022-02-01