diff --git a/rules/windows/builtin/win_iso_mount.yml b/rules/windows/builtin/win_iso_mount.yml
index 40796d9e7..1e9b3836f 100644
--- a/rules/windows/builtin/win_iso_mount.yml
+++ b/rules/windows/builtin/win_iso_mount.yml
@@ -3,6 +3,7 @@ id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
 description: Detects the mount of ISO images on an endpoint
 status: experimental
 date: 2021/05/29
+modified: 2021/11/20
 author: Syed Hasan (@syedhasan009)
 references: 
     - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
@@ -21,7 +22,9 @@ detection:
         ObjectServer: 'Security'
         ObjectType: 'File'
         ObjectName: '\Device\CdRom*'
-    condition: selection
+    filter:
+        ObjectName: '\Device\CdRom0\setup.exe'
+    condition: selection and not filter
 falsepositives:
     - Software installation ISO files
 level: medium