This detection rule identifies the creation of ISO files within specific temporary folders on Windows systems, particularly targeting the Outlook temporary folder and the AppData temporary folder. The presence of these files is atypical and can indicate malicious behavior, particularly relating to the Qakbot malware's tactics, techniques, and procedures (TTPs) that surfaced around July 2022. The rule leverages the `file_event` log source to monitor two defined selection conditions: 1) an ISO file created in the AppData Local Temp folder, and 2) an ISO file found in the Outlook INetCache folder. If an ISO file is created in either location, it triggers a detection event. Additionally, while useful for identifying potential threats, the rule acknowledges a false positive scenario where a system administrator might legitimately open a zip file that contains an ISO file. Given the level of threat associated with Qakbot, this detection is considered high priority.