Potential Arbitrary File Download Via Cmdl32.EXE

Original Source: [Sigma source]

Title: Potential Arbitrary File Download Via Cmdl32.EXE
Status: test
Description:Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
References:
-https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
-https://twitter.com/SwiftOnSecurity/status/1455897435063074824
-https://github.com/LOLBAS-Project/LOLBAS/pull/151
Author: frack113
Date: 2021-11-03
modified:2024-04-22
Tags:

-'attack.execution'
-'attack.defense-evasion'
-'attack.t1218'
-'attack.t1202'

Logsource:

category: process_creation
product: windows

Detection:
selection_img:
Image|endswith:'\cmdl32.exe' OriginalFileName:'CMDL32.EXE' selection_cli:
CommandLine|contains|all:
-'/vpn'
-'/lan'

condition:all of selection_*
Falsepositives:
-Unknown
Level: medium

Sign Up to Personalize and Manage Your Detection

Potential Arbitrary File Download Via Cmdl32.EXE