Detects extraction or mounting of container/archive files (e.g., .iso, .vhd, .zip) that originated from the Internet but whose contained files lack Zone.Identifier MOTW tagging. Correlates file creation metadata with subsequent execution of unsigned or untrusted binaries launched outside SmartScreen or Protected View.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Field | Description |
|---|---|
| WatchedExtensions | Adjust monitored file types (e.g., .iso, .vhd, .zip, .gz, .rar) based on enterprise usage |
| TimeWindow | Defines correlation window between extraction/mount and first execution of inner files |
| TrustedExtractionTools | Whitelist known enterprise archivers and deployment mechanisms to reduce false positives |