Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Arbitrary File Download Via MSEDGE_PROXY.EXE

Detects usage of "msedge_proxy.exe" to download arbitrary files

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan PoudelCreated Thu Nov 09e84d89c4-f544-41ca-a6af-4b92fd38b023windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\msedge_proxy.exe'
        - OriginalFileName: 'msedge_proxy.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Rule Metadata
Rule ID
e84d89c4-f544-41ca-a6af-4b92fd38b023
Status
test
Level
medium
Type
Detection
Created
Thu Nov 09
Author
Swachchhanda Shrawan Poudel
Path
rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml
Raw Tags
attack.defense-evasionattack.executionattack.t1218
View on GitHub