-
Notifications
You must be signed in to change notification settings - Fork 25
/
3_win_security_iso_mount.yml
30 lines (30 loc) · 1.13 KB
/
3_win_security_iso_mount.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
title: ISO Image Mount
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
status: experimental
description: Detects the mount of ISO images on an endpoint
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
author: Syed Hasan (@syedhasan009)
date: 2021/05/29
modified: 2022/10/05
tags:
- attack.initial_access
- attack.t1566.001
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
detection:
selection:
EventID: 4663
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName|startswith: '\Device\CdRom'
filter:
ObjectName: '\Device\CdRom0\setup.exe'
condition: selection and not filter
falsepositives:
- Software installation ISO files
level: medium