Techniques
Sample rules
Windows Network Access Suspicious desktop.ini Action
- source: sigma
- technicques:
- t1547
- t1547.009
Description
Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.
Detection logic
condition: selection
selection:
AccessList|contains:
- WriteData
- DELETE
- WriteDAC
- AppendData
- AddSubdirectory
EventID: 5145
ObjectType: File
RelativeTargetName|endswith: \desktop.ini
Suspicious desktop.ini Action
- source: sigma
- technicques:
- t1547
- t1547.009
Description
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.
Detection logic
condition: selection and not 1 of filter_*
filter_generic:
Image|startswith:
- C:\Windows\
- C:\Program Files\
- C:\Program Files (x86)\
filter_jetbrains:
Image|endswith: \AppData\Local\JetBrains\Toolbox\bin\7z.exe
TargetFilename|contains: \JetBrains\apps\
filter_upgrade:
TargetFilename|startswith: C:\$WINDOWS.~BT\NewOS\
selection:
TargetFilename|endswith: \desktop.ini