File Download From Browser Process Via Inline URL

 1title: File Download From Browser Process Via Inline URL
 2id: 94771a71-ba41-4b6e-a757-b531372eaab6
 3status: test
 4description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
 5references:
 6    - https://twitter.com/mrd0x/status/1478116126005641220
 7    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-01-11
10modified: 2025-10-27
11tags:
12    - attack.command-and-control
13    - attack.t1105
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith:
20            - '\brave.exe'
21            - '\chrome.exe'
22            - '\msedge.exe'
23            - '\opera.exe'
24            - '\vivaldi.exe'
25    selection_http:
26        CommandLine|contains: 'http'
27    selection_extensions:
28        - CommandLine|endswith:
29              - '.7z'
30              - '.dat'
31              - '.dll'
32              - '.exe'
33              - '.hta'
34              - '.ps1'
35              - '.psm1'
36              - '.txt'
37              - '.vbe'
38              - '.vbs'
39              - '.zip'
40        - CommandLine|contains:
41              - '.7z"'
42              - '.dat"'
43              - '.dll"'
44              - '.hta"'
45              - '.ps1"'
46              - '.psm1"'
47              - '.txt"'
48              - '.vbe"'
49              - '.vbs"'
50              - '.zip"'
51    condition: all of selection_*
52falsepositives:
53    - Unknown
54level: medium
55regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml