Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Read More

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Read More

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Read More

Detects execution of the IEExec utility to download and execute files

Read More

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.

Read More

Detects the use of Windows Defender MpCmdRun.EXE to download files

Read More

Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility

Read More

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Read More

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Read More

Detects suspicious ways to download files or content using PowerShell

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.

Read More

Detects when a user downloads a file from an IP based URL using CertOC.exe

Read More

Detects when a user downloads a file by using CertOC.exe

Read More

Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.

Read More

Detects an executable in the Windows folder accessing suspicious domains

Read More

Detects a suspicious curl process start the adds a file to a web request

Read More

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

Read More

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

Read More

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

Read More

Detects programs with network connections running in suspicious files system locations

Read More

Detects a network connection initiated by the certutil.exe tool. Attackers can abuse the utility in order to download malware or additional payloads.

Read More

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Read More

Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays

Read More

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Read More

Detects usage of the "type" command to download/upload data from WebDAV server

Read More

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Read More

Detects the use of Replace.exe which can be used to replace file with another file

Read More

Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.

Read More

Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.

Read More

Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files

Read More

Download and compress a remote file and store it in a cab file on local machine.

Read More

Detects an executable that isn't dropbox but communicates with the Dropbox API

Read More

Download or Copy file with Extrac32

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects execution of Chromium based browser in headless mode

Read More

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

Read More

Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet

Read More

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Read More

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

Read More

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Read More

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Read More

Detects the use of wget to download content to a suspicious directory

Read More

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

Read More

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Read More

Detects attempts to bypass security controls using bitsadmin.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects attempts to bypass security controls using certutil.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects msiexec used to download a potentially-malicious Raspberry Robin DLL. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects potential SMB file creation activity associated with Impacket smbclient.py.

Read More

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Read More

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Read More

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Read More

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Read More

Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.

Read More

Detects suspicious msiexec process starts with web addresses as parameter

Read More

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Read More

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Read More

Detects Pandemic Windows Implant

Read More

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Read More

Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects use of custom scripts i.e. BAT files.

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.

Read More

Detects usage of BITSAdmin to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects usage of certutil to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Read More

Detects the use of tools that copy files from or to remote systems

Read More