From 59a673586c7ae610c6853e2b09c72c17e6c201c1 Mon Sep 17 00:00:00 2001
From: securepeacock <92804416+securepeacock@users.noreply.github.com>
Date: Thu, 22 Jun 2023 09:51:44 -0400
Subject: [PATCH] Update file_event_win_iso_file_mount.yml

---
 rules/windows/file/file_event/file_event_win_iso_file_mount.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml
index 031e74836..19bd73e2e 100644
--- a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml
+++ b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml
@@ -5,6 +5,7 @@ description: Detects the creation of a ISO file in the Outlook temp folder or in
 references:
     - https://twitter.com/Sam0x90/status/1552011547974696960
     - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
 author: '@sam0x90'
 date: 2022/07/30
 tags: