Suspicious desktop.ini Action
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Sigma rule (View on GitHub)
1title: Suspicious desktop.ini Action
2id: 81315b50-6b60-4d8f-9928-3466e1022515
3status: test
4description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
5references:
6 - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
7author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
8date: 2020-03-19
9modified: 2022-10-07
10tags:
11 - attack.persistence
12 - attack.t1547.009
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|endswith: '\desktop.ini'
19 filter_generic:
20 Image|startswith:
21 - 'C:\Windows\'
22 - 'C:\Program Files\'
23 - 'C:\Program Files (x86)\'
24 filter_jetbrains:
25 Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
26 TargetFilename|contains: '\JetBrains\apps\'
27 filter_upgrade:
28 TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
29 condition: selection and not 1 of filter_*
30falsepositives:
31 - Operations performed through Windows SCCM or equivalent
32 - Read only access list authority
33level: medium
References
Related rules
- Creation Exe for Service with Unquoted Path
- New Custom Shim Database Created
- Windows Network Access Suspicious desktop.ini Action
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group