Merge pull request #2360 from redsand/adding_access_list_fp

Adding filter for read only accesslist, attack cannot be triggered
SigmaHQ · Dec 2, 2021 · 0d57825 · 0d57825
2 parents 97d83b8 + 686035d
commit 0d57825
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml
@@ -2,25 +2,32 @@ title: Suspicious desktop.ini Action
 id: 81315b50-6b60-4d8f-9928-3466e1022515
 status: test
 description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
-author: Maxime Thiebaut (@0xThiebaut)
+author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
 references:
   - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
 date: 2020/03/19
-modified: 2021/11/27
+modified: 2021/11/29
 logsource:
   product: windows
   category: file_event
 detection:
+  selection:
+    TargetFilename|endswith: '\desktop.ini'
+    AccessList|contains:
+      - 'WriteData'
+      - 'DELETE'
+      - 'WriteDAC'
+      - 'AppendData'
+      - 'AddSubdirectory'
   filter:
     Image:
       - 'C:\Windows\explorer.exe'
       - 'C:\Windows\System32\msiexec.exe'
-      - 'C:\Windows\System32\mmc.exe'
-  selection:
-    TargetFilename|endswith: '\desktop.ini'
+      - 'C:\Windows\System32\mmc.exe'   
   condition: selection and not filter
 falsepositives:
   - Operations performed through Windows SCCM or equivalent
+  - read only access list authority
 level: medium
 tags:
   - attack.persistence