File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Sigma rule (View on GitHub)
1title: File Download Using ProtocolHandler.exe
2id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
3status: test
4description: |
5 Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
6references:
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
9author: frack113
10date: 2021/07/13
11modified: 2023/11/09
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\protocolhandler.exe'
21 - OriginalFileName: 'ProtocolHandler.exe'
22 selection_cli:
23 CommandLine|contains:
24 - 'ftp://'
25 - 'http://'
26 - 'https://'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Downloads payload from remote server ProtocolHandler.exe https://example.com/payload Use caseIt will open the specified URL in the default web browser, which (if the URL points to a file) will ofte...
Read More
Related rules
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary File Download Via Squirrel.EXE