← Back to SOC feed Coverage →

File Download From Browser Process Via Inline URL

sigma MEDIUM SigmaHQ
T1105
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-06T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for exam

Detection Rule

Sigma (Original)

title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
    - https://twitter.com/mrd0x/status/1478116126005641220
    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2025-10-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
    selection_http:
        CommandLine|contains: 'http'
    selection_extensions:
        - CommandLine|endswith:
              - '.7z'
              - '.dat'
              - '.dll'
              - '.exe'
              - '.hta'
              - '.ps1'
              - '.psm1'
              - '.txt'
              - '.vbe'
              - '.vbs'
              - '.zip'
        - CommandLine|contains:
              - '.7z"'
              - '.dat"'
              - '.dll"'
              - '.hta"'
              - '.ps1"'
              - '.psm1"'
              - '.txt"'
              - '.vbe"'
              - '.vbs"'
              - '.zip"'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\brave.exe" or TargetProcessName endswith "\\chrome.exe" or TargetProcessName endswith "\\msedge.exe" or TargetProcessName endswith "\\opera.exe" or TargetProcessName endswith "\\vivaldi.exe") and TargetProcessCommandLine contains "http" and ((TargetProcessCommandLine endswith ".7z" or TargetProcessCommandLine endswith ".dat" or TargetProcessCommandLine endswith ".dll" or TargetProcessCommandLine endswith ".exe" or TargetProcessCommandLine endswith ".hta" or TargetProcessCommandLine endswith ".ps1" or TargetProcessCommandLine endswith ".psm1" or TargetProcessCommandLine endswith ".txt" or TargetProcessCommandLine endswith ".vbe" or TargetProcessCommandLine endswith ".vbs" or TargetProcessCommandLine endswith ".zip") or (TargetProcessCommandLine contains ".7z\"" or TargetProcessCommandLine contains ".dat\"" or TargetProcessCommandLine contains ".dll\"" or TargetProcessCommandLine contains ".hta\"" or TargetProcessCommandLine contains ".ps1\"" or TargetProcessCommandLine contains ".psm1\"" or TargetProcessCommandLine contains ".txt\"" or TargetProcessCommandLine contains ".vbe\"" or TargetProcessCommandLine contains ".vbs\"" or TargetProcessCommandLine contains ".zip\""))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml