34 строки
1.3 KiB
YAML
34 строки
1.3 KiB
YAML
id: d83f40fc-bbcc-4020-8d45-ad2d82355cb2
|
|
name: PowerShell downloads
|
|
description: |
|
|
'Finds PowerShell execution events that could involve a download'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
- CommandAndControl
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
let ProcessCreationEvents=() {
|
|
let processEvents=SecurityEvent
|
|
| where EventID==4688
|
|
| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, AccountDomain=SubjectDomainName,
|
|
FileName=tostring(split(NewProcessName, '\\')[-1]),
|
|
ProcessCommandLine = CommandLine,
|
|
InitiatingProcessFileName=ParentProcessName,InitiatingProcessCommandLine="",InitiatingProcessParentFileName="";
|
|
processEvents};
|
|
ProcessCreationEvents
|
|
| where TimeGenerated >= ago(timeframe)
|
|
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
|
|
| where ProcessCommandLine has "Net.WebClient"
|
|
or ProcessCommandLine has "DownloadFile"
|
|
or ProcessCommandLine has "Invoke-WebRequest"
|
|
or ProcessCommandLine has "Invoke-Shellcode"
|
|
or ProcessCommandLine contains "http:"
|
|
| project TimeGenerated, ComputerName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
|
|
| top 100 by TimeGenerated
|
|
| extend timestamp = TimeGenerated, HostCustomEntity = ComputerName, AccountCustomEntity = AccountName
|
|
|