Potential Arbitrary File Download Via Cmdl32.EXE

calendar Apr 26, 2024 · attack.execution attack.defense_evasion attack.t1218 attack.t1202  ·
Share on: linkedin copy

Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.

Sigma rule (View on GitHub)

 1title: Potential Arbitrary File Download Via Cmdl32.EXE
 2id: f37aba28-a9e6-4045-882c-d5004043b337
 3status: test
 4description: |
 5    Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
 6    Attackers can abuse this utility in order to download arbitrary files via a configuration file.
 7    Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.    
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
10    - https://twitter.com/SwiftOnSecurity/status/1455897435063074824
11    - https://github.com/LOLBAS-Project/LOLBAS/pull/151
12author: frack113
13date: 2021/11/03
14modified: 2024/04/22
15tags:
16    - attack.execution
17    - attack.defense_evasion
18    - attack.t1218
19    - attack.t1202
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\cmdl32.exe'
26        - OriginalFileName: CMDL32.EXE
27    selection_cli:
28        CommandLine|contains|all:
29            - '/vpn'
30            - '/lan'
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top