Skip to content

Hide Navigation Hide TOC

Potential Arbitrary File Download Via Cmdl32.EXE (f37aba28-a9e6-4045-882c-d5004043b337)

Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Arbitrary File Download Via Cmdl32.EXE (f37aba28-a9e6-4045-882c-d5004043b337) Sigma-Rules Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 1
Potential Arbitrary File Download Via Cmdl32.EXE (f37aba28-a9e6-4045-882c-d5004043b337) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1