ISO Image Mount
Detects the mount of ISO images on an endpoint
Sigma rule (View on GitHub)
1title: ISO Image Mount
2id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
3status: experimental
4description: Detects the mount of ISO images on an endpoint
5references:
6 - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
7 - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
8 - https://twitter.com/MsftSecIntel/status/1257324139515269121
9author: Syed Hasan (@syedhasan009)
10date: 2021/05/29
11modified: 2022/10/05
12tags:
13 - attack.initial_access
14 - attack.t1566.001
15logsource:
16 product: windows
17 service: security
18 definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
19detection:
20 selection:
21 EventID: 4663
22 ObjectServer: 'Security'
23 ObjectType: 'File'
24 ObjectName|startswith: '\Device\CdRom'
25 filter:
26 ObjectName: '\Device\CdRom0\setup.exe'
27 condition: selection and not filter
28falsepositives:
29 - Software installation ISO files
30level: medium```
References
-
A malicious spam campaign conducted in April used ISO image files to deliver the notorious LokiBot and NanoCore trojans.
Read More -
.node-blog-full .blog-content img { border: 1px solid #000 !important; } In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT,...
Read More