Nasreddine Bencherchali
be359ef3f2
Create Release / Create Release (push) Has been cancelled
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode" fix: Metasploit SMB Authentication - Remove unnecessary field fix: Service Installation in Suspicious Folder - Update FP filter update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2" remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules remove: SAM Dump to AppData update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2" update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2" update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1" update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1" update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only update: New or Renamed User Account with '$' Character - Reduced level to "medium" update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium" update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic update: Prefetch File Deleted - Update selection to remove 'C:' prefix update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule) update: Shell Process Spawned by Java.EXE - Add "bash.exe" update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic update: Sysmon Application Crashed - Add 32bit version of sysmon binary update: Tap Driver Installation - Security - Reduce level to "low" update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
title: Suspicious PowerShell Download - Powershell Script
|
|
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
|
|
related:
|
|
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
|
|
type: derived
|
|
status: test
|
|
description: Detects suspicious PowerShell download command
|
|
references:
|
|
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
|
|
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2017/03/05
|
|
modified: 2022/12/02
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
logsource:
|
|
product: windows
|
|
category: ps_script
|
|
definition: 'Requirements: Script Block Logging must be enabled'
|
|
detection:
|
|
webclient:
|
|
ScriptBlockText|contains: 'System.Net.WebClient'
|
|
download:
|
|
ScriptBlockText|contains:
|
|
- '.DownloadFile('
|
|
- '.DownloadFileAsync('
|
|
- '.DownloadString('
|
|
- '.DownloadStringAsync('
|
|
condition: webclient and download
|
|
falsepositives:
|
|
- PowerShell scripts that download content from the Internet
|
|
level: medium
|