LoFP LoFP / operations performed through windows sccm or equivalent

Techniques

Sample rules

Suspicious desktop.ini Action

Description

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.

Detection logic

condition: selection and not 1 of filter_*
filter_generic:
  Image|startswith:
  - C:\Windows\
  - C:\Program Files\
  - C:\Program Files (x86)\
filter_jetbrains:
  Image|endswith: \AppData\Local\JetBrains\Toolbox\bin\7z.exe
  TargetFilename|contains: \JetBrains\apps\
filter_upgrade:
  TargetFilename|startswith: C:\$WINDOWS.~BT\NewOS\
selection:
  TargetFilename|endswith: \desktop.ini