legitimate customization or it management may use theme files that trigger this detection. review and allow trusted themes from authorized sources.

Techniques

Sample rules

Windows Theme File Creation in Unusual Location

source: splunk
technicques:
- T1187
- T1557.001
- T1021.002

Description

Detects theme files being created in unusual locations. These files, used to customize desktop appearances, have been used for remote code execution and NTLM coercion attacks.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path IN (
    "*\\Desktop\\*",
    "*\\Documents\\*",
    "*\\Downloads\\*",
    "*\\Temp\\*"
)
Filesystem.file_name="*.theme"
Filesystem.action="created"

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path
   Filesystem.action Filesystem.file_name
   Filesystem.user Filesystem.vendor_product


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_theme_file_creation_in_unusual_location_filter`