Remote File Download Via Desktopimgdownldr Utility
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Sigma rule (View on GitHub)
1title: Remote File Download Via Desktopimgdownldr Utility
2id: 214641c2-c579-4ecb-8427-0cf19df6842e
3status: test
4description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
5references:
6 - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
7author: Tim Rauch, Elastic (idea)
8date: 2022-09-27
9tags:
10 - attack.command-and-control
11 - attack.t1105
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\desktopimgdownldr.exe'
18 ParentImage|endswith: '\desktopimgdownldr.exe'
19 CommandLine|contains: '/lockscreenurl:http'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
-
Remote File Download via Desktopimgdownldr Utility edit Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary f...
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings