The rule detects the mounting of ISO images on Windows systems, an activity that can signify malicious behavior, particularly associated with advanced persistent threat (APT) groups like Lazarus (APT29). ISO files can circumvent security mechanisms by lacking the Zone Identifier, which normally indicates a file's source when downloaded from the internet. The absence of this identifier allows malicious code to bypass Windows’ mark-of-the-web (MOTW) protections, making ISO files a favorite medium for attackers to deliver payloads. The rule employs Splunk queries to monitor Windows event logs, specifically looking for event ID 4663 related to object access on CD-ROM devices, filtering out non-malicious setup files. By detecting such activity, security analysts can identify potentially harmful behavior that could lead to further compromise of the target system.