security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/builtin/security/win_security_iso_mount.yml
T
frack113 8b749fb126 Order yaml field
2022-10-25 11:08:51 +02:00

31 lines
1.1 KiB
YAML
Raw Blame History

title: ISO Image Mount
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
status: experimental
description: Detects the mount of ISO images on an endpoint
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
author: Syed Hasan (@syedhasan009)
date: 2021/05/29
modified: 2022/10/05
tags:
- attack.initial_access
- attack.t1566.001
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
detection:
selection:
EventID: 4663
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName|startswith: '\Device\CdRom'
filter:
ObjectName: '\Device\CdRom0\setup.exe'
condition: selection and not filter
falsepositives:
- Software installation ISO files
level: medium
Reference in New Issue View Git Blame Copy Permalink