This detection rule identifies the creation of registry artifacts associated with the opening, clicking, or mounting of ISO containers on Windows operating systems. Specifically, it tracks changes to registry keys related to recent execution of .iso or .img files, leveraging Sysmon Event IDs 12 and 13. The exploitation of ISO files is increasingly being observed in phishing campaigns, as attackers use container-based techniques to circumvent traditional security measures that target macro-based execution in documents. By monitoring these registry changes, security teams can identify potential initial access attempts that could lead to further malicious activities, such as exploitation or data exfiltration. The rule utilizes data from the Endpoint.Registry data model to provide insights into this potentially harmful behavior, enabling proactive defense against such tactics.