Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

ISO Image Mounted

Detects the mount of an ISO image on an endpoint

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Syed HasanCreated Sat May 29Updated Thu Nov 090248a7bc-8a9a-4cd8-a57e-3ae8e073a073windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4663
        ObjectServer: 'Security'
        ObjectType: 'File'
        ObjectName|startswith: '\Device\CdRom'
    filter_main_generic:
        ObjectName:
            - '\Device\CdRom0\autorun.ico'
            - '\Device\CdRom0\setup.exe'
            - '\Device\CdRom0\setup64.exe'
    condition: selection and not 1 of filter_main_*
False Positives

Software installation ISO files

References
1
Resolving title…
trendmicro.com
2
Resolving title…
proofpoint.com
3
Resolving title…
twitter.com
4
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
Status
test
Level
medium
Type
Detection
Created
Sat May 29
Modified
Thu Nov 09
Author
Syed Hasan
Path
rules/windows/builtin/security/win_security_iso_mount.yml
Raw Tags
attack.initial-accessattack.t1566.001
View on GitHub