Suspicious Desktopimgdownldr Command

 1title: Suspicious Desktopimgdownldr Command
 2id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
 3status: test
 4description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
 5references:
 6    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
 7    - https://twitter.com/SBousseaden/status/1278977301745741825
 8author: Florian Roth (Nextron Systems)
 9date: 2020/07/03
10modified: 2021/11/27
11tags:
12    - attack.command_and_control
13    - attack.t1105
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection1:
19        CommandLine|contains: ' /lockscreenurl:'
20    selection1_filter:
21        CommandLine|contains:
22            - '.jpg'
23            - '.jpeg'
24            - '.png'
25    selection_reg:
26        CommandLine|contains|all:
27            - 'reg delete'
28            - '\PersonalizationCSP'
29    condition: ( selection1 and not selection1_filter ) or selection_reg
30fields:
31    - CommandLine
32    - ParentCommandLine
33falsepositives:
34    - False positives depend on scripts and administrative tools used in the monitored environment
35level: high

References

• Living Off Windows Land - A New Native File "downldr" - SentinelLabs

  

  A newly discovered LOLBin offers an alternative to certutil for helping adversaries download files from a remote server. Meet desktopimgdownldr.exe.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• MsiExec Web Install
• PowerShell DownloadFile
• Suspicious Registry Key Added: LanmanServer Parameters
• Suspicious Registry Key Set (MaxMpxCt)
• Cisco Stage Data