Detectionmediumtest
Desktop.INI Created by Uncommon Process
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Maxime Thiebaut, Tim Shelton (HAWK.IO)Created Thu Mar 19Updated Tue Dec 0981315b50-6b60-4d8f-9928-3466e1022515windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic5 selectors
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Operations performed through Windows SCCM or equivalent
Read only access list authority
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
81315b50-6b60-4d8f-9928-3466e1022515
Status
test
Level
medium
Type
Detection
Created
Thu Mar 19
Modified
Tue Dec 09
Path
rules/windows/file/file_event/file_event_win_desktop_ini_created_by_uncommon_process.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.009