Arbitrary File Download Via ConfigSecurityPolicy.EXE
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Sigma rule (View on GitHub)
1title: Arbitrary File Download Via ConfigSecurityPolicy.EXE
2id: 1f0f6176-6482-4027-b151-00071af39d7e
3status: test
4description: |
5 Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender.
6 Users can configure different pilot collections for each of the co-management workloads.
7 It can be abused by attackers in order to upload or download files.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/
10author: frack113
11date: 2021/11/26
12modified: 2022/05/16
13tags:
14 - attack.exfiltration
15 - attack.t1567
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - CommandLine|contains: ConfigSecurityPolicy.exe
22 - Image|endswith: '\ConfigSecurityPolicy.exe'
23 - OriginalFileName: 'ConfigSecurityPolicy.exe'
24 selection_url:
25 CommandLine|contains:
26 - 'ftp://'
27 - 'http://'
28 - 'https://'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...
Read More
Related rules
- Suspicious Curl File Upload - Linux
- Communication To Ngrok Tunneling Service Initiated
- Communication To Ngrok Tunneling Service - Linux
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- Active Directory Structure Export Via Csvde.EXE