← Back to Explore
sigmahighHunting
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Detection Query
selection1:
CommandLine|contains: " /lockscreenurl:"
selection1_filter:
CommandLine|contains:
- .jpg
- .jpeg
- .png
selection_reg:
CommandLine|contains|all:
- reg delete
- \PersonalizationCSP
condition: ( selection1 and not selection1_filter ) or selection_reg
Author
Florian Roth (Nextron Systems)
Created
2020-07-03
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Suspicious Desktopimgdownldr Command
id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
status: test
description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: ' /lockscreenurl:'
selection1_filter:
CommandLine|contains:
- '.jpg'
- '.jpeg'
- '.png'
selection_reg:
CommandLine|contains|all:
- 'reg delete'
- '\PersonalizationCSP'
condition: ( selection1 and not selection1_filter ) or selection_reg
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high