Adversaries may use the desktopimgdownldr tool to exfiltrate data or execute malicious payloads by creating suspicious files in unexpected locations or with malicious extensions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or data exfiltration activities early.
Detection Rule
title: Suspicious Desktopimgdownldr Target File
id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
status: test
description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2022-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
TargetFilename|contains: '\Personalization\LockScreenImage\'
filter1:
TargetFilename|contains: 'C:\Windows\'
filter2:
TargetFilename|contains:
- '.jpg'
- '.jpeg'
- '.png'
condition: selection and not filter1 and not filter2
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
imFileEvent
| where (TargetFilePath endswith "\\svchost.exe" and TargetFileName contains "\\Personalization\\LockScreenImage\\") and (not(TargetFileName contains "C:\\Windows\\")) and (not((TargetFileName contains ".jpg" or TargetFileName contains ".jpeg" or TargetFileName contains ".png")))Scenario: Legitimate System Update via Windows Update
Description: A desktopimgdownldr file is created as part of a Windows Update process, which downloads and installs a legitimate system update.
Filter/Exclusion: Check the file path against known Windows Update directories (e.g., C:\Windows\Temp\, C:\Windows\SoftwareDistribution\) and verify the file hash against Microsoft’s known good hashes.
Scenario: Scheduled Job for Software Deployment
Description: A scheduled task runs a script that uses desktopimgdownldr to deploy a legitimate software package to a user’s desktop or local folder.
Filter/Exclusion: Exclude files created in known deployment directories (e.g., C:\Program Files\, C:\Users\*\AppData\Local\) and verify the file against a whitelist of approved deployment tools.
Scenario: Admin Task to Generate a Temporary File
Description: An administrator uses desktopimgdownldr to create a temporary file (e.g., a configuration file or log file) during a system maintenance task.
Filter/Exclusion: Exclude files created in temporary directories (e.g., C:\Users\*\AppData\Local\Temp\) and check for presence of admin credentials or task scheduler context.
Scenario: Malware Analysis Environment
Description: A security analyst uses desktopimgdownldr in a sandboxed environment to analyze a suspicious file, which is then stored in a known analysis directory.
Filter/Exclusion: Exclude files created in malware analysis directories (e.g., C:\Tools\Analysis\, C:\Sandbox\) and verify the process origin (e.g., using Process Explorer or WMI).
Scenario: User-Initiated File Download
Description: A user downloads a file using a legitimate tool (e.g., PowerShell or a script