itiB
36 lines
991 B
YAML
36 lines
991 B
YAML
|
|
title: Suspicious desktop.ini Action
|
|
ruletype: Sigma
|
|
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
|
|
date: 2020/03/19
|
|
description: Detects unusual processes accessing desktop.ini, which can be leveraged
|
|
to alter how Explorer displays a folder's content (i.e. renaming files) without
|
|
changing them on disk.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 11
|
|
SELECTION_2:
|
|
TargetFilename: '*\desktop.ini'
|
|
SELECTION_3:
|
|
Image:
|
|
- C:\Windows\\*
|
|
- C:\Program Files\\*
|
|
- C:\Program Files (x86)\\*
|
|
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
|
|
falsepositives:
|
|
- Operations performed through Windows SCCM or equivalent
|
|
- read only access list authority
|
|
id: 81315b50-6b60-4d8f-9928-3466e1022515
|
|
level: medium
|
|
logsource:
|
|
category: file_event
|
|
product: windows
|
|
modified: 2021/12/03
|
|
references:
|
|
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
|
|
status: test
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1023
|
|
- attack.t1547.009
|