github-actions[bot]
08c52c367c
chore: promote older rules status from experimental to test Co-authored-by: nasbench <nasbench@users.noreply.github.com>
33 lines
1.0 KiB
YAML
33 lines
1.0 KiB
YAML
title: Arbitrary File Download Via IMEWDBLD.EXE
|
|
id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
|
|
related:
|
|
- id: 8d7e392e-9b28-49e1-831d-5949c6281228
|
|
type: derived
|
|
status: test
|
|
description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
|
|
- https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
|
|
author: Swachchhanda Shrawan Poudel
|
|
date: 2023-11-09
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.execution
|
|
- attack.t1218
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\IMEWDBLD.exe'
|
|
- OriginalFileName: 'imewdbld.exe'
|
|
selection_cli:
|
|
CommandLine|contains:
|
|
- 'http://'
|
|
- 'https://'
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL
|
|
level: high
|