-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
powershell_downloads.yaml
48 lines (48 loc) · 1.8 KB
/
powershell_downloads.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
id: d83f40fc-bbcc-4020-8d45-ad2d82355cb2
name: PowerShell downloads
description: |
'Finds PowerShell execution events that could involve a download'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Execution
- CommandAndControl
query: |
let ProcessCreationEvents=() {
let processEvents=SecurityEvent
| where EventID==4688
| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,
FileName=tostring(split(NewProcessName, '\\')[-1]),
ProcessCommandLine = CommandLine,
InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
processEvents};
ProcessCreationEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe","pwsh.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
| project TimeGenerated, ComputerName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by TimeGenerated
| extend HostName = tostring(split(ComputerName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(ComputerName, '.'), 1, -1), '.'))
| extend Account_0_Name = AccountName
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
version: 2.0.1