← Back to Explore
sigmahighHunting
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Detection Query
selection:
Image|endswith: \svchost.exe
TargetFilename|contains: \Personalization\LockScreenImage\
filter1:
TargetFilename|contains: C:\Windows\
filter2:
TargetFilename|contains:
- .jpg
- .jpeg
- .png
condition: selection and not filter1 and not filter2
Author
Florian Roth (Nextron Systems)
Created
2020-07-03
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Suspicious Desktopimgdownldr Target File
id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
status: test
description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2022-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
TargetFilename|contains: '\Personalization\LockScreenImage\'
filter1:
TargetFilename|contains: 'C:\Windows\'
filter2:
TargetFilename|contains:
- '.jpg'
- '.jpeg'
- '.png'
condition: selection and not filter1 and not filter2
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high