LoFP LoFP / operations performed through windows sccm or equivalent

Techniques

Sample rules

Desktop.INI Created by Uncommon Process

Description

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|startswith:
  - C:\Windows\
  - C:\Program Files\
  - C:\Program Files (x86)\
filter_main_upgrade:
  TargetFilename|startswith: C:\$WINDOWS.~BT\NewOS\
filter_optional_jetbrains:
  Image|endswith: \AppData\Local\JetBrains\Toolbox\bin\7z.exe
  Image|startswith: C:\Users\
  TargetFilename|contains: \JetBrains\apps\
filter_optional_onedrive:
  Image|contains: \AppData\Local\Microsoft\OneDrive\
  Image|startswith: C:\Users\
selection:
  TargetFilename|endswith: \desktop.ini