DesktopImgDownLdr rules

rules/windows/file_event/win_susp_desktopimgdownldr_file.yml

@@ -0,0 +1,24 @@
+title: Suspicious Desktopimgdownldr Command
+id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
+status: experimental
+description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
+author: Florian Roth
+date: 2020/07/03
+references:
+    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+logsource:
+    product: windows
+    category: file_event
+tags:
+    - attack.defense_evasion
+    - attack.t1105
+detection:
+    selection1:
+
+    condition: selection1 and not selection1_filter or selection_reg
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: high

rules/windows/process_creation/win_susp_desktopimgdownldr.yml

@@ -0,0 +1,33 @@
+title: Suspicious Desktopimgdownldr Command
+id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
+status: experimental
+description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
+author: Florian Roth
+date: 2020/07/03
+references:
+    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+logsource:
+    category: process_creation
+    product: windows
+tags:
+    - attack.defense_evasion
+    - attack.t1105
+detection:
+    selection1:
+        CommandLine|contains: ' /lockscreenurl:'
+    selection2_filter:
+        CommandLine|contains:
+            - '.jpg'
+            - '.jpeg'
+            - '.png'
+    selection_reg:
+        CommandLine|contains|all:
+            - 'reg delete'
+            - '\PersonalizationCSP'
+    condition: selection1 and not selection1_filter or selection_reg
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: high