Desktop.INI Created by Uncommon Process
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Sigma rule (View on GitHub)
1title: Desktop.INI Created by Uncommon Process
2id: 81315b50-6b60-4d8f-9928-3466e1022515
3status: test
4description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
5references:
6 - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
7author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
8date: 2020-03-19
9modified: 2025-12-09
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.009
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith: '\desktop.ini'
20 filter_main_generic:
21 Image|startswith:
22 - 'C:\Windows\'
23 - 'C:\Program Files\'
24 - 'C:\Program Files (x86)\'
25 filter_main_upgrade:
26 TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
27 filter_optional_jetbrains:
28 Image|startswith: 'C:\Users\'
29 Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
30 TargetFilename|contains: '\JetBrains\apps\'
31 filter_optional_onedrive:
32 Image|startswith: 'C:\Users\'
33 Image|contains: '\AppData\Local\Microsoft\OneDrive\'
34 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
35falsepositives:
36 - Operations performed through Windows SCCM or equivalent
37 - Read only access list authority
38level: medium
References
Related rules
- New Custom Shim Database Created
- Creation Exe for Service with Unquoted Path
- Windows Network Access Suspicious desktop.ini Action
- Loading of Kernel Module via Insmod
- Modification of ld.so.preload