LoFP / false positives will be found. https and http is a url protocol handler that will trigger this analytic. tune based on process or command-line.

Techniques

• T1059

Sample rules

Windows Identify Protocol Handlers

• source: splunk
• technicques:
  • T1059

Description

The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for “mailto:” links. When the user clicks a “mailto:” link, the browser opens the application selected as the handler for the “mailto:” protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes  by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name(Processes)` 
| lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler 
| where ishandler="TRUE" 
| `windows_identify_protocol_handlers_filter`