LoFP / false positives may be present and filtering will need to occur by parent process or command line argument. it may be required to modify this query to an edr product for more granular coverage.

Techniques

• T1059
• T1059.001
• T1105

Sample rules

Any Powershell DownloadString

• source: splunk
• technicques:
  • T1059
  • T1059.001
  • T1105

Description

The following analytic detects the use of PowerShell’s DownloadString method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because DownloadString is commonly used in malicious PowerShell scripts to fetch and execute remote code. If confirmed malicious, this behavior could allow an attacker to download and run arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString*  by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `any_powershell_downloadstring_filter`

Any Powershell DownloadFile

• source: splunk
• technicques:
  • T1059
  • T1059.001
  • T1105

Description

The following analytic detects the use of PowerShell’s DownloadFile method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it is commonly used in malicious frameworks to download and execute additional payloads. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Analysts should investigate the source and destination of the download and review AMSI or PowerShell transaction logs for additional context.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `any_powershell_downloadfile_filter`