Potential Arbitrary File Download Via Cmdl32.EXE
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
Sigma rule (View on GitHub)
1title: Potential Arbitrary File Download Via Cmdl32.EXE
2id: f37aba28-a9e6-4045-882c-d5004043b337
3status: test
4description: |
5 Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
6 Attackers can abuse this utility in order to download arbitrary files via a configuration file.
7 Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
10 - https://twitter.com/SwiftOnSecurity/status/1455897435063074824
11 - https://github.com/LOLBAS-Project/LOLBAS/pull/151
12author: frack113
13date: 2021-11-03
14modified: 2024-04-22
15tags:
16 - attack.execution
17 - attack.defense-evasion
18 - attack.t1218
19 - attack.t1202
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\cmdl32.exe'
26 - OriginalFileName: CMDL32.EXE
27 selection_cli:
28 CommandLine|contains|all:
29 - '/vpn'
30 - '/lan'
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
-
cmdl32.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
New lolbin for downloading arbitrary files: cmdl32.exe Here is the necessary config file for the command specified in the YML file (note the command must give a full path to this file): [Connection...
Read More
Related rules
- Potential Binary Impersonating Sysinternals Tools
- Suspicious Child Process Of BgInfo.EXE
- Suspicious ZipExec Execution
- Uncommon Child Process Of BgInfo.EXE
- WSL Child Process Anomaly