26 строки
967 B
YAML
26 строки
967 B
YAML
id: 4846436d-5183-4a33-a975-fc892ffea91d
|
|
name: Powercat Download (Normalized Process Events)
|
|
description: |
|
|
'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Exfiltration
|
|
relevantTechniques:
|
|
- T1011
|
|
query: |
|
|
imProcessCreate
|
|
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
|
|
| where CommandLine hassuffix "powercat.ps1"
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity |