Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Desktopimgdownldr Target File

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri Jul 03Updated Thu Jun 02fc4f4817-0c53-4683-a4ee-b17a64bc1039windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic3 selectors
detection:
    selection:
        Image|endswith: '\svchost.exe'
        TargetFilename|contains: '\Personalization\LockScreenImage\'
    filter1:
        TargetFilename|contains: 'C:\Windows\'
    filter2:
        TargetFilename|contains:
            - '.jpg'
            - '.jpeg'
            - '.png'
    condition: selection and not filter1 and not filter2
False Positives

False positives depend on scripts and administrative tools used in the monitored environment

References
1
Resolving title…
labs.sentinelone.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
fc4f4817-0c53-4683-a4ee-b17a64bc1039
Status
test
Level
high
Type
Detection
Created
Fri Jul 03
Modified
Thu Jun 02
Author
Florian Roth (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub