mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-09 09:27:16 +00:00
keyboardcrunch
22 lines
978 B
YAML
22 lines
978 B
YAML
title: Powershell Download Cradles
|
|
description: Detects usage of Powershell to download a malicious files. The below query
|
|
will find CommandLine or CommandScript downloads using multiple cradle methods as
|
|
documented here HarmJ0y. This query should only be used for hunting purposes
|
|
and covers most unobfuscated powershell cradles.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Initial Access
|
|
technique: T1566
|
|
subtechnique: 001
|
|
operating_system: windows
|
|
query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
|
|
(","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript
|
|
In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
|
|
(","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP"))
|
|
false_positives:
|
|
tags:
|
|
references:
|
|
- https://gist.github.com/HarmJ0y/bb48307ffa663256e239
|