Detectionmediumtest
File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\protocolhandler.exe'
- OriginalFileName: 'ProtocolHandler.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
104cdb48-a7a8-4ca7-a453-32942c6e5dcb
Status
test
Level
medium
Type
Detection
Created
Tue Jul 13
Modified
Thu Nov 09
Author
Path
rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml
Raw Tags
attack.defense-evasionattack.t1218