detection.wiki

Detection rules › Sigma

Suspicious Desktopimgdownldr Target File

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1105 Ingress Tool Transfer

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

Image|endswith: '\svchost.exe'
TargetFilename|contains: '\Personalization\LockScreenImage\'

Stage 2: not filter1

TargetFilename|contains: 'C:\Windows\'

Stage 3: not filter2

or:
TargetFilename|contains: .jpeg
TargetFilename|contains: .jpg
TargetFilename|contains: .png

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \svchost.exe corpus 20 (sigma 20)
TargetFilenamematch
  • .jpeg
  • .jpg
  • .png
  • C:\Windows\
  • \Personalization\LockScreenImage\