Using powershell specific download cradle OneLiner
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Sigma rule (View on GitHub)
1title: Using powershell specific download cradle OneLiner
2id: 44e24481-6202-4c62-9127-5a0ae8e3fe3d
3status: Experimental
4description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
5author: \@Kostastsale, \@TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8 - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
9date: 2022/05/09
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 Image|endswith:
16 - '\powershell.exe'
17 CommandLine|contains|all:
18 - 'http://127.0.0.1'
19 - '%{(IRM $_)}'
20 - '.SubString.ToString()[67,72,64]-Join'
21 - 'Import-Module'
22 condition: selection1
23falsepositives:
24 - Uknown
25level: high
26tags:
27 - attack.defense_evasion
28 - attack.t1562.001
29 - attack.execution
30 - T1059.001```
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Various Powershell Download Cradles purposed as one-liners - Download-Cradles-Oneliners.md
Read More
Related rules
- PowerShell AMSI Bypass Pattern
- Custom Cobalt Strike Command Execution
- Deleting Windows Defender scheduled tasks
- Enabling restricted admin mode
- Bypassing Security Controls - Command Shell