LoFP LoFP / software installation iso files

Techniques

Sample rules

ISO Image Mounted

Description

Detects the mount of an ISO image on an endpoint

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic:
  ObjectName:
  - \Device\CdRom0\autorun.ico
  - \Device\CdRom0\setup.exe
  - \Device\CdRom0\setup64.exe
selection:
  EventID: 4663
  ObjectName|startswith: \Device\CdRom
  ObjectServer: Security
  ObjectType: File