27 строки
963 B
YAML
27 строки
963 B
YAML
id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
|
|
name: Powercat Download
|
|
description: |
|
|
'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Exfiltration
|
|
relevantTechniques:
|
|
- T1011
|
|
query: |
|
|
SecurityEvent
|
|
| where EventID == 4688
|
|
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
|
|
| where CommandLine hassuffix "powercat.ps1"
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity |