rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml

title: File Download Using ProtocolHandler.exe
id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
status: test
description: |
    Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
author: frack113
date: 2021-07-13
modified: 2023-11-09
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\protocolhandler.exe'
        - OriginalFileName: 'ProtocolHandler.exe'
    selection_cli:
        CommandLine|contains:
            - 'ftp://'
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
$frack113$ Last lolbin (#3845 ) 2022-12-31 19:53:44 +01:00			`title: File Download Using ProtocolHandler.exe`
$frack113$ Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00			`id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb`
Merge PR #4533 from @nasbench - Promote `experimental` rules 2023-11-02 10:48:45 +01:00			`status: test`
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules 2023-11-14 14:31:39 +05:45			`description: \|`
			`Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)`
$frack113$ Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00			`references:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md`
$frack113$ Last lolbin (#3845 ) 2022-12-31 19:53:44 +01:00			`- https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`author: frack113`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2021-07-13`
			`modified: 2023-11-09`
$frack113$ Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
$frack113$ Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00			`- attack.t1218`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
LOLBIN Updates 2022-08-19 23:05:46 +01:00			`selection_img:`
			`- Image\|endswith: '\protocolhandler.exe'`
			`- OriginalFileName: 'ProtocolHandler.exe'`
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules 2023-11-14 14:31:39 +05:45			`selection_cli:`
			`CommandLine\|contains:`
			`- 'ftp://'`
			`- 'http://'`
			`- 'https://'`
			`condition: all of selection_*`
$frack113$ Add process_creation_protocolhandler_suspicious_file.yml 2021-07-13 12:19:07 +02:00			`falsepositives:`
			`- Unknown`
			`level: medium`