Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration

Detects a suspicious curl process start the adds a file to a web request

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

Detects an executable in the Windows folder accessing suspicious domains

Detects a network connection initiated by the certutil.exe tool. Attackers can abuse the utility in order to download malware or additional payloads.

Detects usage of the "msedge.exe" binary as a LOLBIN to download arbitrary file via the CLI

This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.

Detects code execution via the Windows Update client (wuauclt)

Detects file download using curl.exe

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server

Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays

Detects when GfxDownloadWrapper.exe downloads file from non standard URL

Detects suspicious msiexec process starts with web addresses as parameter

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Detects Pandemic Windows Implant

Detects usage of the "type" command to download/upload data from WebDAV server

Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Detects when a user downloads file by using CertOC.exe

Detects programs with network connections running in suspicious files system locations

Use IMEWDBLD.exe (built-in to windows) to download a file

AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Detects use of custom scripts i.e. BAT files.

Various protocols maybe used to put data on the device for exfil or infil

Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Detects the use of Replace.exe which can be used to replace file with another file

Download and compress a remote file and store it in a cab file on local machine.

Download or Copy file with Extrac32

Detect the use of Windows Defender to download payloads

Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.

Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Detects the use of tools that copy files from or to remote systems