2021-08-28 06:55:50 +02:00
---
Name : cmdl32.exe
Description : Microsoft Connection Manager Auto-Download
Author : 'Elliot Killick'
2021-12-14 15:57:32 +01:00
Created : 2021-08-26
2021-08-28 06:55:50 +02:00
Commands :
- Command : cmdl32 /vpn /lan %cd%\config
Description : Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.
Usecase : Download file from Internet
Category : Download
Privileges : User
MitreID : T1105
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2021-08-28 06:55:50 +02:00
Full_Path :
- Path : C:\Windows\System32\cmdl32.exe
- Path : C:\Windows\SysWOW64\cmdl32.exe
Detection :
2021-11-15 14:19:03 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/3416db73016f25ce115f5597fe74320d2428db66/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml
2021-08-28 06:55:50 +02:00
- IOC : Reports of downloading from suspicious URLs in %TMP%\config.log
- IOC : Useragent Microsoft(R) Connection Manager Vpn File Update
2021-10-22 16:34:41 +02:00
Resources :
2021-10-22 16:31:54 +02:00
- Link : https://github.com/LOLBAS-Project/LOLBAS/pull/151
2023-08-04 12:21:36 +02:00
- Link : https://twitter.com/ElliotKillick/status/1455897435063074824
- Link : https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/
2021-08-28 06:55:50 +02:00
Acknowledgement :
- Person : Elliot Killick
Handle : '@elliotkillick'