{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-download/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-and-control","headless-browser","file-download","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential file downloads via headless browsers on Windows systems. Attackers abuse headless browser capabilities (chrome.exe, msedge.exe, brave.exe, browser.exe, dragon.exe, vivaldi.exe) to download files, proxy traffic, and bypass application control policies. The technique leverages trusted, signed binaries to evade security restrictions, effectively using the browser as a covert download tool. The activity is characterized by a headless browser being launched from a suspicious parent process, such as a script host, Office application, or command shell, with arguments that facilitate scripted content retrieval like \u003ccode\u003e--headless*\u003c/code\u003e, \u003ccode\u003e--dump-dom\u003c/code\u003e, \u003ccode\u003e*http*\u003c/code\u003e, and \u003ccode\u003edata:text/html;base64,*\u003c/code\u003e. Defenders should monitor for such anomalous browser behavior to identify and prevent malicious file downloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user unknowingly executes a malicious script or document (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe script (e.g., PowerShell, VBScript) or document macro initiates a process, such as cmd.exe or powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe parent process spawns a headless browser instance (chrome.exe, msedge.exe, etc.) with the \u003ccode\u003e--headless\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eAdditional arguments are passed to the headless browser to specify a URL for download or base64 encoded content (\u003ccode\u003e--dump-dom *http*\u003c/code\u003e, \u003ccode\u003edata:text/html;base64,*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe headless browser retrieves the content from the specified URL or decodes the base64 data.\u003c/li\u003e\n\u003cli\u003eThe browser saves the downloaded content to disk, often in a user-writable directory.\u003c/li\u003e\n\u003cli\u003eThe initial script or document executes the downloaded file or uses it for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as establishing persistence, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, data compromise, and system compromise. Attackers can use this technique to download malware, bypass security controls, and establish a foothold in the compromised system. The impact can range from individual workstation compromise to large-scale network infiltration, depending on the attacker\u0026rsquo;s objectives and the privileges of the compromised user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious headless browser activity, tuning for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and command-line auditing to capture the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules, focusing on the parent process, browser arguments, and downloaded file artifacts.\u003c/li\u003e\n\u003cli\u003eReview and harden application control policies to restrict the execution of headless browsers from suspicious parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from headless browsers to identify potential command and control traffic or data exfiltration attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:34:19Z","date_published":"2026-04-06T15:34:19Z","id":"/briefs/2026-06-headless-browser-download/","summary":"Detects the execution of headless browsers from suspicious parent processes with arguments indicative of scripted retrieval, bypassing application control policies and restrictions on direct download tools.","title":"Potential File Download via a Headless Browser","url":"https://feed.craftedsignal.io/briefs/2026-06-headless-browser-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","file-download","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently use PowerShell, a legitimate administration tool, to download malicious payloads into compromised systems. This technique allows them to bypass traditional security measures by leveraging a trusted tool. This activity often occurs during the command and control phase, where attackers introduce additional tooling or malware for further exploitation. This rule identifies instances where PowerShell downloads executable and script files from untrusted remote destinations. It does this by correlating network and file events, specifically looking for PowerShell processes initiating network connections to non-whitelisted domains followed by the creation of executable or script files. The rule helps defenders identify and respond to potential command and control activity and malware deployment attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to initiate a network connection to a remote domain.\u003c/li\u003e\n\u003cli\u003eThe DNS request is made to a domain not in the allowed list (e.g., not *.microsoft.com, *.azureedge.net, etc.).\u003c/li\u003e\n\u003cli\u003ePowerShell downloads a file with an executable extension (e.g., .exe, .dll, .ps1, .bat) or a file with a MZ header.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk.\u003c/li\u003e\n\u003cli\u003eThe file is saved to a location that is not excluded by the rule, filtering out commonly used temporary directories.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable or script is then executed, leading to further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, lateral movement, or data exfiltration depending on the downloaded payload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the introduction of malware, backdoors, or other malicious tools into the compromised system. This can enable attackers to perform a wide range of malicious activities, including data theft, system compromise, and further propagation within the network. The compromised system can become a beachhead for further attacks, potentially impacting numerous systems and leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell Remote File Download\u003c/code\u003e to detect PowerShell processes downloading executable files from untrusted remote destinations by correlating network and file creation events.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to provide the necessary network and file event data for the rule to function correctly as noted in the \u003ca href=\"https://ela.st/install-elastic-defend\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of the PowerShell process, the reputation of the downloaded file, and any other suspicious activities on the affected host, as per the investigation guide in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview and customize the whitelisted domains in the Sigma rule to match your organization\u0026rsquo;s specific environment and trusted external resources, as described in the \u003ccode\u003equery\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eBlock the identified malicious domains or IP addresses at the network perimeter to prevent further downloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:25:00Z","date_published":"2024-01-03T15:25:00Z","id":"/briefs/2024-01-remote-file-download-powershell/","summary":"Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.","title":"Remote File Download via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-file-download-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","file-download","windows","desktopimgdownldr"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e utility, a legitimate Windows tool for configuring lock screen and desktop images, can be misused by adversaries to download arbitrary files from remote locations. This is achieved by leveraging the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument followed by an HTTP or HTTPS URL. This technique allows attackers to bypass traditional download restrictions and can be used to retrieve malicious payloads, tools, or scripts directly onto a compromised system. This method is particularly effective because \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e is a signed Microsoft binary, potentially evading initial detection based on process name or file reputation. The detection rule was initially created in September 2020 and updated in May 2026. This technique is valuable for attackers seeking to transfer files without using common tools like \u003ccode\u003ecertutil\u003c/code\u003e, \u003ccode\u003epowershell\u003c/code\u003e, or \u003ccode\u003ebitsadmin\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an existing vulnerability, credential compromise, or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e with the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument, specifying a URL from which to download a malicious file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e initiates an HTTP or HTTPS request to the specified URL.\u003c/li\u003e\n\u003cli\u003eThe remote server responds with the file content, which \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e saves to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes the downloaded file (e.g., a malicious script or executable).\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as establishing persistence, escalating privileges, or deploying further malware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, accessing sensitive data and systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to download and execute arbitrary files on a Windows system, leading to potential compromise of the host and the network. This can result in data theft, system damage, or ransomware infection. Due to the legitimate nature of the \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e utility, this technique can bypass security controls and detection mechanisms, increasing the likelihood of successful exploitation. While the exact number of victims is unknown, any Windows system where an attacker can execute commands is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote File Download via Desktopimgdownldr Utility\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e with the \u003ccode\u003e/lockscreenurl\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e to identify suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure sufficient data is available for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003edesktopimgdownldr.exe\u003c/code\u003e downloading files from external URLs to determine if they are malicious.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables in sensitive environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-desktopimgdownldr-remote-file-copy/","summary":"The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.","title":"Remote File Download via Desktopimgdownldr Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-desktopimgdownldr-remote-file-copy/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Download","version":"https://jsonfeed.org/version/1.1"}