Suspicious Desktopimgdownldr Target File

 1title: Suspicious Desktopimgdownldr Target File
 2id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
 3status: test
 4description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
 5references:
 6    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
 7    - https://twitter.com/SBousseaden/status/1278977301745741825
 8author: Florian Roth (Nextron Systems)
 9date: 2020/07/03
10modified: 2022/06/02
11tags:
12    - attack.command_and_control
13    - attack.t1105
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        Image|endswith: '\svchost.exe'
20        TargetFilename|contains: '\Personalization\LockScreenImage\'
21    filter1:
22        TargetFilename|contains: 'C:\Windows\'
23    filter2:
24        TargetFilename|contains:
25            - '.jpg'
26            - '.jpeg'
27            - '.png'
28    condition: selection and not filter1 and not filter2
29fields:
30    - CommandLine
31    - ParentCommandLine
32falsepositives:
33    - False positives depend on scripts and administrative tools used in the monitored environment
34level: high

References

• Living Off Windows Land - A New Native File "downldr" - SentinelLabs

  

  A newly discovered LOLBin offers an alternative to certutil for helping adversaries download files from a remote server. Meet desktopimgdownldr.exe.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Microsoft Binary Suspicious Communication Endpoint
• Suspicious Invoke-WebRequest Execution With DirectIP
• Suspicious Invoke-WebRequest Execution
• Operator Bring Your Own Tools
• Connection Initiated Via Certutil.EXE