{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/url-file/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","execution","url-file","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers commonly use .url shortcut files in phishing campaigns to deliver malicious payloads. These files, when downloaded from non-local sources, may bypass traditional security measures. This detection rule identifies such files by monitoring their creation events on Windows systems. The rule focuses on files with the .url extension and a zone identifier indicating they originated from outside the local network. These files are often delivered via email or malicious websites, tricking users into clicking them, which can lead to the execution of arbitrary commands or the redirection to malicious websites. This technique allows attackers to gain initial access or execute malicious code on the victim\u0026rsquo;s machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email or a malicious website containing a link to a .url file.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link, resulting in the download of the .url file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe .url file is created on the filesystem, triggering a file creation event.\u003c/li\u003e\n\u003cli\u003eThe operating system assigns a Zone Identifier to the file, marking it as originating from an external source.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the .url file, which contains a URL pointing to a malicious website or an executable.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to open the URL using the default web browser or execute the embedded command.\u003c/li\u003e\n\u003cli\u003eIf the URL points to a malicious website, the victim may be prompted to download and execute malware.\u003c/li\u003e\n\u003cli\u003eThe malware executes, potentially leading to system compromise, data theft, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary commands, redirection to malicious websites, and subsequent malware infection. If successful, attackers can compromise user systems, steal sensitive information, or establish a foothold for further malicious activities within the organization\u0026rsquo;s network. The impact can range from individual system compromise to broader network breaches, depending on the attacker\u0026rsquo;s objectives and the extent of the infection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDownloaded URL Files Created\u003c/code\u003e to your SIEM to detect the creation of downloaded .url files with a non-local Zone Identifier and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003efile creation\u003c/code\u003e events where \u003ccode\u003efile.extension == \u0026quot;url\u0026quot;\u003c/code\u003e and \u003ccode\u003efile.Ext.windows.zone_identifier == 3\u003c/code\u003e using the provided investigation steps in the advisory.\u003c/li\u003e\n\u003cli\u003eUpdate security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eEducate users on safe downloading practices and the risks associated with opening .url files from untrusted sources, as highlighted in the advisory\u0026rsquo;s false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T17:49:12Z","date_published":"2024-01-04T17:49:12Z","id":"/briefs/2024-01-downloaded-url-files/","summary":"This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.","title":"Detection of Downloaded URL Files Used in Phishing Campaigns","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-url-files/"}],"language":"en","title":"CraftedSignal Threat Feed — Url-File","version":"https://jsonfeed.org/version/1.1"}