valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
da6b5f8ec5
SigmaHQ/rules/windows/builtin/win_iso_mount.yml
Florian Roth 28abdf3a81
Update win_iso_mount.yml
2021-06-10 09:31:40 +02:00

28 lines
1.0 KiB
YAML
Raw Blame History

title: ISO Image Mount
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
description: Detects the mount of ISO images on an endpoint
status: experimental
date: 2021/05/29
author: Syed Hasan (@syedhasan009)
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
tags:
- attack.initial_access
- attack.t1566.001
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
detection:
selection:
EventID: 4663
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName: '\Device\CdRom*'
condition: selection
falsepositives:
- Software installation ISO files
level: medium
Reference in New Issue View Git Blame Copy Permalink