Skip to content

Hide Navigation Hide TOC

Windows Network Access Suspicious desktop.ini Action (35bc7e28-ee6b-492f-ab04-da58fcf6402e)

Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Network Access Suspicious desktop.ini Action (35bc7e28-ee6b-492f-ab04-da58fcf6402e) Sigma-Rules Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 2