ISO Image Mounted

Severity: medium
Author: Syed Hasan (@syedhasan009)
Source: upstream

Detects the mount of an ISO image on an endpoint

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1566.001` Phishing: Spearphishing Attachment

Event coverage

Provider	Event ID	Title
Security-Auditing	4663	An attempt was made to access an object.

Stages and Predicates

Stage 1: `selection`

ObjectName|startswith: '\Device\CdRom'
ObjectServer: Security
ObjectType: File

Stage 2: `not 1 of filter_main_generic`

ObjectName: ['\Device\CdRom0\autorun.ico', '\Device\CdRom0\setup.exe', '\Device\CdRom0\setup64.exe']

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ObjectName`	eq	`\Device\CdRom0\autorun.ico` `\Device\CdRom0\setup.exe` `\Device\CdRom0\setup64.exe`
`ObjectName`	starts_with	`\Device\CdRom`
`ObjectServer`	eq	`Security`
`ObjectType`	eq	`File` corpus 5 (sigma 3, splunk 2)