legitimate database administrators or developers may create udl files for routine connection testing. filter alerts based on trusted user activity to reduce false positives.

Techniques

Sample rules

Windows Universal Data Link File Creation

source: splunk
technicques:
- T1204.002
- T1566.001

Description

Detects the creation of Universal Data Link (UDL) files. This could indicate a phishing technique that exploits UDL files, which are typically used in Windows for database connections. Attackers might leverage UDL files to bypass email filters and capture user credentials by tricking victims into testing a connection to a malicious server.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_name="*.udl"
Filesystem.action="created"

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path
   Filesystem.action Filesystem.file_name Filesystem.user
   Filesystem.vendor_product


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_universal_data_link_file_creation_filter`