Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Windows Network Access Suspicious desktop.ini Action

Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Tim Shelton (HAWK.IO)Created Mon Dec 06Updated Sun Jan 1635bc7e28-ee6b-492f-ab04-da58fcf6402ewindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 5145
        ObjectType: File
        RelativeTargetName|endswith: '\desktop.ini'
        AccessList|contains:
            - 'WriteData'
            - 'DELETE'
            - 'WriteDAC'
            - 'AppendData'
            - 'AddSubdirectory'
    condition: selection
False Positives

Read only access list authority

References
1
Resolving title…
isc.sans.edu
MITRE ATT&CK
Rule Metadata
Rule ID
35bc7e28-ee6b-492f-ab04-da58fcf6402e
Status
test
Level
medium
Type
Detection
Created
Mon Dec 06
Modified
Sun Jan 16
Author
Tim Shelton (HAWK.IO)
Path
rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.009
View on GitHub