File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Sigma rule (View on GitHub)
1title: File Download Using ProtocolHandler.exe
2id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
3status: test
4description: |
5 Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
6references:
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
9author: frack113
10date: 2021-07-13
11modified: 2023-11-09
12tags:
13 - attack.defense-evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\protocolhandler.exe'
21 - OriginalFileName: 'ProtocolHandler.exe'
22 selection_cli:
23 CommandLine|contains:
24 - 'ftp://'
25 - 'http://'
26 - 'https://'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
ProtocolHandler.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE