heroui logo

ProtocolHandler.exe File Download

Anvilogic Forge

View Source
Summary
This rule detects unauthorized file downloads initiated by ProtocolHandler.exe, a component used by Microsoft Office for accessing documents from sources like Outlook and SharePoint. Adversaries may exploit this functionality to download malicious files, so this detection focuses on instances where ProtocolHandler.exe is executed with URLs in the command line. The detection is implemented using Splunk searches that analyze endpoint data to spot these command-line indicators. By utilizing regular expressions, the rule identifies executions of ProtocolHandler.exe with patterns typically associated with URL requests, thus flagging potential malicious activity. It is advised to maintain an allowlist of expected SharePoint domains to minimize false positives from legitimate operations. This rule might align with technique T1105, which pertains to command-and-control ingress tool transfers. Related references provide further insights into the operational context of ProtocolHandler.exe and its potential misuse.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Application Log
  • User Account
ATT&CK Techniques
  • T1105
Created: 2024-02-09