security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4989d43ae97015f8113aed2efcd49d288b8fec21
blue-team-tools/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml
T
Swachchhanda Shrawan Poudel fc716d14f6 Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules 
new: Arbitrary File Download Via IMEWDBLD.EXE
new: Arbitrary File Download Via MSEDGE_PROXY.EXE
new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
new: Msxsl.EXE Execution
new: Potential File Download Via MS-AppInstaller Protocol Handler
new: Remote XSL Execution Via Msxsl.EXE
update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
update: Arbitrary File Download Via MSOHTMED.EXE - Update title
update: Arbitrary File Download Via PresentationHost.EXE - Update title
update: File Download And Execution Via IEExec.EXE - Update title and description
update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
update: File Download Via InstallUtil.EXE - Update title and description
update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enahnce false positives filters
update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-11-14 09:46:39 +01:00

31 lines
1002 B
YAML
Raw Blame History

title: File Download Using ProtocolHandler.exe
id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
status: test
description: |
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
author: frack113
date: 2021/07/13
modified: 2023/11/09
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\protocolhandler.exe'
- OriginalFileName: 'ProtocolHandler.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink