Remote File Download via Desktopimgdownldr Utility
The rule detects the use of desktopimgdownldr.exe to download remote files, which is an abuse of a signed utility often used as an alternative to certutil for transferring malicious tools or malware into a compromised environment.
The desktopimgdownldr.exe utility, typically used for configuring lock screen or desktop images, can be abused by adversaries to download arbitrary files from remote locations. This technique is employed as an alternative to tools like certutil for transferring malicious payloads into a compromised environment. The abuse occurs when the utility is invoked with the /lockscreenurl argument, followed by an HTTP or HTTPS URL, leading to the download of a remote file. This activity often bypasses traditional download restrictions, making it a stealthy method for introducing malware. The Elastic detection rule identifies this specific behavior based on process arguments. The rule focuses on Windows systems and leverages process execution data to detect instances of this abuse, helping defenders to identify and respond to potential command and control activities.
Attack Chain
- Initial Access: The attacker gains initial access through an existing compromise or vulnerability.
- Command Execution: The attacker executes
desktopimgdownldr.exevia command line or script. - Argument Manipulation: The attacker uses the
/lockscreenurl:http*argument to specify a remote URL. - File Download:
desktopimgdownldr.exedownloads a file from the specified remote URL. - Payload Delivery: The downloaded file is a malicious payload (e.g., malware, script).
- Execution: The attacker executes the downloaded malicious file.
- Persistence/Lateral Movement: The attacker uses the executed payload for persistence or lateral movement within the network.
- Objective Achieved: The attacker achieves their objective (e.g., data exfiltration, ransomware deployment).
Impact
Successful exploitation can lead to the introduction of malware or malicious tools into the targeted environment. This can lead to further compromise, data exfiltration, system damage, or deployment of ransomware. The number of victims and targeted sectors depend on the attacker's objectives. The successful download and execution of malicious files can significantly degrade system security and lead to substantial financial and reputational damage.
Recommendation
- Deploy the Sigma rule
Detect Remote File Download via Desktopimgdownldr Utilityto your SIEM and tune for your environment. - Monitor process execution events for instances of
desktopimgdownldr.exewith the/lockscreenurlargument. - Investigate any identified instances of
desktopimgdownldr.exebeing used with a remote URL, focusing on the source and nature of the downloaded file. - Enable Sysmon process-creation logging to enhance detection capabilities as outlined in the
logsourceof the detection rule.
Detection coverage 2
Detect Remote File Download via Desktopimgdownldr Utility
mediumDetects the execution of desktopimgdownldr.exe with the /lockscreenurl argument to download remote files.
Detect Remote File Download via Desktopimgdownldr Utility - Alternate Location
mediumDetects the execution of desktopimgdownldr.exe (from alternate location) with the /lockscreenurl argument to download remote files.
Detection queries are available on the platform. Get full rules →