LOLBAS/yml/OSBinaries/Cmdl32.yml

---
Name: cmdl32.exe
Description: Microsoft Connection Manager Auto-Download
Author: 'Elliot Killick'
Created: 2021-08-26
Commands:
  - Command: cmdl32 /vpn /lan %cd%\config
    Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
  - Path: C:\Windows\System32\cmdl32.exe
  - Path: C:\Windows\SysWOW64\cmdl32.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml
  - IOC: Reports of downloading from suspicious URLs in %TMP%\config.log
  - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update
Resources:
  - Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151
  - Link: https://twitter.com/ElliotKillick/status/1455897435063074824
  - Link: https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/
Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'
Create cmdl32.yml 2021-08-28 06:55:50 +02:00			`---`
			`Name: cmdl32.exe`
			`Description: Microsoft Connection Manager Auto-Download`
			`Author: 'Elliot Killick'`
Minor formatting changes (redudant backslashes, incorrect dates, typos, etc.) 2021-12-14 15:57:32 +01:00			`Created: 2021-08-26`
Create cmdl32.yml 2021-08-28 06:55:50 +02:00			`Commands:`
			`- Command: cmdl32 /vpn /lan %cd%\config`
			`Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.`
			`Usecase: Download file from Internet`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
Updating entries that have been confirmed to be working on Windows 11 (21H2) 2021-12-14 16:50:17 +01:00			`OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11`
Create cmdl32.yml 2021-08-28 06:55:50 +02:00			`Full_Path:`
			`- Path: C:\Windows\System32\cmdl32.exe`
			`- Path: C:\Windows\SysWOW64\cmdl32.exe`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml`
Create cmdl32.yml 2021-08-28 06:55:50 +02:00			`- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log`
			`- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update`
Update Cmdl32.yml 2021-10-22 16:34:41 +02:00			`Resources:`
Update cmdl32.yml 2021-10-22 16:31:54 +02:00			`- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151`
Update Cmdl32.exe resource links (#317) 2023-08-04 12:21:36 +02:00			`- Link: https://twitter.com/ElliotKillick/status/1455897435063074824`
			`- Link: https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/`
Create cmdl32.yml 2021-08-28 06:55:50 +02:00			`Acknowledgement:`
			`- Person: Elliot Killick`
			`Handle: '@elliotkillick'`