Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Desktopimgdownldr Command

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri Jul 03Updated Sat Nov 27bb58aa4a-b80b-415a-a2c0-2f65a4c81009windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection1:
        CommandLine|contains: ' /lockscreenurl:'
    selection1_filter:
        CommandLine|contains:
            - '.jpg'
            - '.jpeg'
            - '.png'
    selection_reg:
        CommandLine|contains|all:
            - 'reg delete'
            - '\PersonalizationCSP'
    condition: ( selection1 and not selection1_filter ) or selection_reg
False Positives

False positives depend on scripts and administrative tools used in the monitored environment

References
1
Resolving title…
labs.sentinelone.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
bb58aa4a-b80b-415a-a2c0-2f65a4c81009
Status
test
Level
high
Type
Detection
Created
Fri Jul 03
Modified
Sat Nov 27
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub