Techniques
Sample rules
ISO or Image Mount Indicator in Recent Files
- source: sigma
- technicques:
- t1566
- t1566.001
Description
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
Detection logic
condition: selection
selection:
TargetFilename|contains: \Microsoft\Windows\Recent\
TargetFilename|endswith:
- .iso.lnk
- .img.lnk
- .vhd.lnk
- .vhdx.lnk