PowerShell Download and Execution Cradles

 1title: PowerShell Download and Execution Cradles
 2id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
 3status: test
 4description: Detects PowerShell download and execution cradles.
 5references:
 6    - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
 7    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 8author: Florian Roth (Nextron Systems)
 9date: 2022-03-24
10modified: 2023-05-04
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_download:
19        CommandLine|contains:
20            - '.DownloadString('
21            - '.DownloadFile('
22            - 'Invoke-WebRequest '
23            - 'iwr '
24    selection_iex:
25        CommandLine|contains:
26            - ';iex $'
27            - '| IEX'
28            - '|IEX '
29            - 'I`E`X'
30            - 'I`EX'
31            - 'IE`X'
32            - 'iex '
33            - 'IEX ('
34            - 'IEX('
35            - 'Invoke-Expression'
36    condition: all of selection_*
37falsepositives:
38    - Some PowerShell installers were seen using similar combinations. Apply filters accordingly
39level: high

References

• Payload-Download-Cradles/Download-Cradles.cmd at 88e8eca34464a547c90d9140d70e9866dcbc6a12 · VirtualAlllocEx/Payload-Download-Cradles

  

  This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections. - VirtualAlllocEx/...

  
  Read More

• FIN7 tradecraft seen in attacks against Veeam backup servers

  

  WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.

  
  Read More

Related rules

• Abusable DLL Potential Sideloading From Suspicious Location
• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• Atlassian Confluence CVE-2022-26134
• Azure New CloudShell Created