Published: 27 May 2022 - 03:00 -0500
One of the hard parts of implementing a block like this is the concern that it will “break something”. The DFIR Report’s post on Bumblebee Round 2 has a great suggestion on how to detect legitimate (and illegitimate) use of ISO mounting using Event ID 12 of the Microsoft-Windows-VHDMP-Operational logs. It’s not one of the main Application/System/Security logs so you may have to configure your forwarders to start capturing it, but it will give you a good idea of how common it is for your organization to mount ISOs. The following image is an example that I stole from the DFIR Report’s blog post.
First, I corrected the misspelling of
ProgrammaticAccessOnly - thanks Josh!
Second, I added
SCSI\CdRomMsft____Virtual_DVD-ROM_ into the blog post to make it easier to copy/paste
Finally, if you are following the below process of blocking ISOs using the
SCSI\CdRomMsft____Virtual_DVD-ROM_ method, before you block you may want to double check how wide spread use of virtual ISO mounting is. You can do so via Event ID 6422. You can see if you have it enabled on a specific host using the following command:
Using this GPO setting:
Recently I’ve been hearing about malware mounting ISOs as a method of bypassing AV and EDR. For example this article from Bleeping Computer - “Uptick Seen in ISO Email Attachments Delivering Malware” posted December 23rd, 2019, or DARK Reading - “ChromeLoader Malware Hijacks Browsers with ISO Files” posted May 27th, 2022.
The problem I found with these articles and many like it didn’t really offer any sort of method to protect yourself or you company from ISO mounted malware, so I went to try to find a solution myself (couldn’t be that hard right?). Turns out that if you google for “Stop Windows from Mounting ISOs” or something similar you get a bunch of MSDN articles for people trying to solve the same issue for one reason or another.
After a lot of googling I found this article on Winaero - “Remove Mount Context Menu in Windows 10” posted April 5th 2018. This article shows how to add a simple registry key under
ProgrammaticAccessOnly which would remove the context menu item when you right clicked an ISO. It also removed the functionality of double clicking to auto-mount ISOs. Here is the tweet from May 4th, 2022 when I figured this out:
For those that are dealing with ISO based malware downloads, might I suggest the following solution: https://t.co/2SHxqQFCTG— Rob Fuller (@mubix) May 4, 2022
Basically add "ProgrammaticAccessOnly" to HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount as a REG_SZ
This can be done at a GPO level :)
This was great because you could put this into a Group Policy and make it so everyone was protected but administrators could still mount drives with PowerShell and the
I haven’t seen malware that downloads ISOs and executes whats in them programmatically after mounting them, but I have heard that this type of malware does exist, and the above protection won’t stop that type of malware use case. So I went digging again for a more holistic approach.
After a lot of googling again, I found this post from NeighborGeek - “Error mounting ISO file - ‘Sorry, there was a problem mounting the file’” posted October 31st, 2017. In this post it described “Device Installation Restrictions” in Group Policy that were blocking ISOs from being mounted. I didn’t know how to make those settings but I found a great article on MSDN - “Manage Device installation with Group Policy” that showed me how.
After playing around with it a bit I was able to block ISOs from being mounted by double click, by context menu, and programmatically through powershell with one simple GPO:
For ease of copy paste:
KEY TAKEAWAY: I would highly recommend this GPO on all of your workstations / laptops. Obviously servers need ISOs a lot more (not sure it’s all that common to mount an ISO directly in the OS directly anymore instead of through virtualization software, but I definitely haven’t been a sysadmin in a while).
Here is the tweet from May 21st, 2022 once I figured it out:
After some conversations about this fix, I wanted to look for something more wholistic. Something that would stop both double click, right click mount, and scripted mounting from powershell, etc. So I found this:https://t.co/5ABmw1acIK— Rob Fuller (@mubix) May 21, 2022
which led me here:https://t.co/2at7IhOhTt https://t.co/xP5IZhwcNK