Suspicious desktop.ini Action
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Sigma rule (View on GitHub)
1title: Suspicious desktop.ini Action
2id: 81315b50-6b60-4d8f-9928-3466e1022515
3status: test
4description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
5references:
6 - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
7author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
8date: 2020-03-19
9modified: 2022-10-07
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.009
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith: '\desktop.ini'
20 filter_generic:
21 Image|startswith:
22 - 'C:\Windows\'
23 - 'C:\Program Files\'
24 - 'C:\Program Files (x86)\'
25 filter_jetbrains:
26 Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
27 TargetFilename|contains: '\JetBrains\apps\'
28 filter_upgrade:
29 TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
30 condition: selection and not 1 of filter_*
31falsepositives:
32 - Operations performed through Windows SCCM or equivalent
33 - Read only access list authority
34level: medium
References
Related rules
- Creation Exe for Service with Unquoted Path
- New Custom Shim Database Created
- Windows Network Access Suspicious desktop.ini Action
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group