File downloader/dropper

Hunt Hypothesis

The File downloader/dropper rule detects potential adversary behavior where an attacker is using a script or tool to download and execute malicious payloads, often as part of a multi-stage attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent lateral movement or data exfiltration.

YARA Rule

rule network_dropper {
    meta:
        author = "x0r"
        description = "File downloader/dropper"
	version = "0.1"
    strings:
        $f1 = "urlmon.dll" nocase
        $c1 = "URLDownloadToFile"
        $c2 = "URLDownloadToCacheFile"
        $c3 = "URLOpenStream"
        $c4 = "URLOpenPullStream"
    condition:
        $f1 and 1 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system update via Windows Update
  Description: A legitimate scheduled task runs wuauclt.exe to download and install Windows updates.
  Filter/Exclusion: Exclude processes associated with wuauclt.exe or check for the presence of WindowsUpdate in the process name or command line.

• Scenario: Admin performing a software deployment using Microsoft Endpoint Configuration Manager (MECM)
  Description: An administrator uses MECM to deploy software, which may involve downloading files from a trusted internal server.
  Filter/Exclusion: Exclude processes initiated by the MECM service or check for the presence of ConfigurationManager in the process name or command line.

• Scenario: Legitimate file transfer using Robocopy or PowerShell script
  Description: A script or command-line tool like robocopy.exe or powershell.exe is used to transfer files between servers.
  Filter/Exclusion: Exclude processes with robocopy.exe in the command line or check for the presence of robocopy or powershell in the process name or command line.

• Scenario: Antivirus or endpoint protection signature update
  Description: An endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, etc.) downloads signature updates from its cloud service.
  Filter/Exclusion: Exclude processes associated with the endpoint protection vendor (e.g., mpengine.exe, crowdstrike.exe) or check for known update URLs or domains.

• Scenario: Database backup using SQL Server Agent Job
  Description: A SQL Server Agent job runs a backup script that may involve downloading files from a remote database server.
  Filter/Exclusion: Exclude processes initiated by the SQL Server Agent service or check for the presence of sqlservr.exe or sqlagent.exe in the process