title: ISO Image Mount
author: Syed Hasan (@syedhasan009)
date: 2021/05/29
description: Detects the mount of ISO images on an endpoint
detection:
  SELECTION_1:
    EventID: 4663
  SELECTION_2:
    ObjectServer: Security
  SELECTION_3:
    ObjectType: File
  SELECTION_4:
    ObjectName: \Device\CdRom*
  SELECTION_5:
    ObjectName: \Device\CdRom0\setup.exe
  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
    (SELECTION_5))
falsepositives:
- Software installation ISO files
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
level: medium
logsource:
  definition: The advanced audit policy setting "Object Access > Audit Removable Storage"
    must be configured for Success/Failure
  product: windows
  service: security
modified: 2021/11/20
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
status: experimental
tags:
- attack.initial_access
- attack.t1566.001
ruletype: SIGMA