Detection rules › Sigma
ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.001 Phishing: Spearphishing Attachment |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
TargetFilename|endswith: .img.lnk
TargetFilename|endswith: .iso.lnk
TargetFilename|endswith: .vhd.lnk
TargetFilename|endswith: .vhdx.lnk
TargetFilename|contains: '\Microsoft\Windows\Recent\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|
TargetFilename | match |
|