Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Sigma rule (View on GitHub)
1title: Suspicious Desktopimgdownldr Command
2id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
3status: test
4description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
5references:
6 - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
7 - https://twitter.com/SBousseaden/status/1278977301745741825
8author: Florian Roth (Nextron Systems)
9date: 2020-07-03
10modified: 2021-11-27
11tags:
12 - attack.command-and-control
13 - attack.t1105
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection1:
19 CommandLine|contains: ' /lockscreenurl:'
20 selection1_filter:
21 CommandLine|contains:
22 - '.jpg'
23 - '.jpeg'
24 - '.png'
25 selection_reg:
26 CommandLine|contains|all:
27 - 'reg delete'
28 - '\PersonalizationCSP'
29 condition: ( selection1 and not selection1_filter ) or selection_reg
30fields:
31 - CommandLine
32 - ParentCommandLine
33falsepositives:
34 - False positives depend on scripts and administrative tools used in the monitored environment
35level: high
References
-
A newly discovered LOLBin offers an alternative to certutil for helping adversaries download files from a remote server. Meet desktopimgdownldr.exe.
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings