File Download From Browser Process Via Inline URL
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
Sigma rule (View on GitHub)
1title: File Download From Browser Process Via Inline URL
2id: 94771a71-ba41-4b6e-a757-b531372eaab6
3status: test
4description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
5references:
6 - https://twitter.com/mrd0x/status/1478116126005641220
7 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2022-01-11
10modified: 2023-11-09
11tags:
12 - attack.command-and-control
13 - attack.t1105
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 Image|endswith:
20 - '\brave.exe'
21 - '\chrome.exe'
22 - '\msedge.exe'
23 - '\opera.exe'
24 - '\vivaldi.exe'
25 selection_http:
26 CommandLine|contains: 'http'
27 selection_extensions:
28 CommandLine|endswith:
29 - '.7z'
30 - '.dat'
31 - '.dll'
32 - '.exe'
33 - '.hta'
34 - '.ps1'
35 - '.psm1'
36 - '.txt'
37 - '.vbe'
38 - '.vbs'
39 - '.zip'
40 condition: all of selection_*
41falsepositives:
42 - Unknown
43level: medium
References
-
Msedge.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings