Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-11 02:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleaned up signature descriptions and metadata.

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/powershell_download_cradles.yml
+21
View File
@@ -0,0 +1,21 @@
title: Powershell Download Cradles
description: Detects usage of Powershell to download a malicious files. The below query
will find CommandLine or CommandScript downloads using multiple cradle methods as
documented here HarmJ0y. This query should only be used for hunting purposes
and covers most unobfuscated powershell cradles.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
tactic: Initial Access
technique: T1566
subtechnique: 001
operating_system: windows
query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
(","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript
In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
(","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP"))
false_positives:
tags:
references:
- https://gist.github.com/HarmJ0y/bb48307ffa663256e239