PowerShell Download Pattern
Detects a Powershell process that contains download commands in its command line string
Sigma rule (View on GitHub)
1title: PowerShell Download Pattern
2id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
3related:
4 - id: e6c54d94-498c-4562-a37c-b469d8e9a275
5 type: derived
6status: test
7description: Detects a Powershell process that contains download commands in its command line string
8references:
9 - https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
10 - https://lab52.io/blog/winter-vivern-all-summer/
11 - https://hatching.io/blog/powershell-analysis/
12author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
13date: 2019/01/16
14modified: 2023/01/26
15tags:
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - OriginalFileName:
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 selection_cli:
30 CommandLine|contains|all:
31 - 'new-object'
32 - 'net.webclient).'
33 - 'download'
34 CommandLine|contains:
35 - 'string('
36 - 'file('
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: medium
References
-
red team, blue team, penetration testing, red teaming, threat hunting, digital forensics, incident response, cyber security, IT security
Read More -
In July, 2021, Lab52 found a currently active infection campaign (domain still up at the time of this writing) attributed to a group referred as Wintervivern after a report published by the researc...
Read More -
Automated malware analysis with Hatching Triage, the high-volume sandbox solution for SOCs, CERTs, SOARs, and MSSPs.
Read More
Related rules
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- Malicious PowerShell Scripts - FileCreation
- Malicious PowerShell Scripts - PoshModule