38 lines
1.2 KiB
YAML
38 lines
1.2 KiB
YAML
title: Suspicious desktop.ini Action
|
|
author: Maxime Thiebaut (@0xThiebaut)
|
|
date: 2020/03/19
|
|
description: Detects unusual processes accessing desktop.ini, which can be leveraged
|
|
to alter how Explorer displays a folder's content (i.e. renaming files) without
|
|
changing them on disk.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 11
|
|
SELECTION_2:
|
|
TargetFilename: '*\desktop.ini'
|
|
SELECTION_3:
|
|
Image: C:\Windows\explorer.exe
|
|
SELECTION_4:
|
|
Image: C:\Windows\System32\msiexec.exe
|
|
SELECTION_5:
|
|
Image: C:\Windows\System32\mmc.exe
|
|
condition: (SELECTION_1 and SELECTION_2 and not ((SELECTION_3 or SELECTION_4
|
|
or SELECTION_5)))
|
|
falsepositives:
|
|
- Operations performed through Windows SCCM or equivalent
|
|
id: 81315b50-6b60-4d8f-9928-3466e1022515
|
|
level: medium
|
|
logsource:
|
|
category: file_event
|
|
product: windows
|
|
modified: 2020/08/23
|
|
references:
|
|
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
|
|
status: experimental
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1023
|
|
- attack.t1547.009
|
|
yml_filename: sysmon_susp_desktop_ini.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
|
|
|