Uncommon processes accessing desktop.ini may indicate an adversary attempting to manipulate folder display settings to hide or alter file visibility without modifying the actual file system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential file system tampering and exfiltration efforts.
Detection Rule
title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
imFileEvent
| where TargetFileName endswith "\\desktop.ini" and (not(((TargetFilePath startswith "C:\\Windows\\" or TargetFilePath startswith "C:\\Program Files\\" or TargetFilePath startswith "C:\\Program Files (x86)\\") or TargetFileName startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) and (not(((TargetFilePath startswith "C:\\Users\\" and TargetFilePath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and TargetFileName contains "\\JetBrains\\apps\\") or (TargetFilePath startswith "C:\\Users\\" and TargetFilePath contains "\\AppData\\Local\\Microsoft\\OneDrive\\"))))Scenario: A system administrator uses PowerShell to modify folder properties via the Set-ItemProperty cmdlet, which indirectly interacts with desktop.ini.
Filter/Exclusion: process.name != "powershell.exe" or process.name == "powershell.exe" && process.command_line contains "Set-ItemProperty"
Scenario: A scheduled task runs a script that updates folder settings, which may touch desktop.ini as part of the file system operation.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.parent_process_name == "taskhost.exe"
Scenario: A backup tool (e.g., Veeam Backup & Replication) processes folder metadata, which may involve reading or writing to desktop.ini during a backup or restore operation.
Filter/Exclusion: process.name == "veeam.exe" or process.name == "vssadmin.exe"
Scenario: A third-party file management tool (e.g., SyncBackSE) synchronizes folders and may modify desktop.ini as part of its metadata handling.
Filter/Exclusion: process.name == "syncbackse.exe" or process.name == "syncback.exe"
Scenario: A Windows Update or Group Policy client service modifies folder settings, which can result in desktop.ini being accessed or modified.
Filter/Exclusion: process.name == "svchost.exe" and process.parent_process_name == "services.exe" or process.name == "gpsvc.exe"