heroui logo

ISO Image Mounted

Sigma Rules

View Source
Summary
This detection rule monitors for the mounting of ISO images on Windows endpoints by looking for the specific Event ID 4663 in the security logs. The rule identifies when a file on a CD-ROM device is accessed to determine whether an ISO image has been mounted, which could indicate a potential malicious activity, especially considering that attackers utilize ISO files to deliver malware via social engineering techniques. The rule uses the Object Name prefix \Device\CdRom to filter events connected to media first recognized as CD-ROMs. A filter is applied to exclude common legitimate files such as autorun.ico and setup.exe, which may accompany innocent software installations. This allows for cleaner detection of unusual mounting behavior without generating excessive false positives, although software installation ISOs may still be mistakenly flagged.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • File
ATT&CK Techniques
  • T1553.005
Created: 2021-05-29