After we add the value, right-clicking on the disk image file results in a context menu where the default option is no longer “Mount”, but is instead “Burn disc image”, as illustrated in figure 4.įigure 4: Context menu with “Burn disc image” option Once this new value has been added, you do not need to reboot the system for the setting to take effect. You do not need to add any data to this new value. Within this key, add a new “REG_SZ” value named “ProgrammaticAccessOnly”, as illustrated in figure 3. The simplest way to implement this prevention mechanism on a single system is to open the Registry Editor and navigate to the HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount subkey. However, these attacks can be inhibited or even obviated by modifying the default behavior for these files types, as described in a blog post titled, “Blocking ISO Mounting”. Threat actors rely on unsuspecting users to automatically mount the disk image file, and then double-click a file within the new volume, such as a Windows shortcut (LNK) file. The default behavior when accessing disk image files, either via right-clicking to raise the context menu (as illustrated in figure 1), or double-clicking on the file, is to mount the file, making it accessible as an additional volume.Ĭhoosing “Mount” from the context menu, or double-clicking, results in the disk image file being mounted as a new volume, as illustrated in figure 2. This technique for delivering malware has been observed being used by threat actors intent upon infecting systems with Qakbot, a banking Trojan known to be leveraged for further infections. It should be noted that Microsoft has fixed this issue, and MOTW is reportedly now propagated within disk image files. These disk image files bypassed mark-of-the-web (MOTW) “protections”, as the MOTW was not propagated to files within the disk image file. Shortly thereafter, we began to see (as have others) an increase in threat actors moving to an alternate technique, sending disk image (.ISO. In Feb, 2022, Microsoft announced that they planned to modify the default behavior of macros in Office documents downloaded from the Internet, with the intent of inhibiting or obviating attacks that used this technique (i.e., getting a user to open and enable macros in a weaponized MSWord document or Excel spreadsheet). Summary: Huntress suggests modifying the default option for accessing disk image files from "mount" to "burn disc image" within Windows to help mitigate the threat of malicious actors. Click Configure Storage Sense or run it now (on Windows 10) to change these options.Product: Disk Image File (ISO, IMG, VHD, VHDX) You can use the Storage Sense feature found there to automatically clean up files when your disk space is low, or every so often. Windows 10 and Windows 11 both include much of this same functionality of Disk Cleanup, with a nicer interface, at Settings > System > Storage. You should also avoid removing the Windows ESD installation files option, as this is used for resetting your PC via Settings.Ĭheck out Windows folders you can delete to save space for more info on the specific items you can remove with Disk Cleanup. Deleting this will remove the old files that Windows keeps for 10 days-those allow you to easily go back to an earlier version. If you've recently updated to a new major version of Windows, you'll see a Previous Windows installation(s) entry. You may also want to avoid cleaning the Recycle Bin unless you're sure that you won't need to restore anything from it. On older versions of Windows 10, watch out for Downloads, which will delete everything in that folder. Feel free to delete pretty much every category of data available here, with a few exceptions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |