Skip to content

Hide Navigation Hide TOC

Suspicious desktop.ini Action (81315b50-6b60-4d8f-9928-3466e1022515)

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Cluster A Galaxy A Cluster B Galaxy B Level
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Suspicious desktop.ini Action (81315b50-6b60-4d8f-9928-3466e1022515) Sigma-Rules 1
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2