IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Remote File Download via PowerShell
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Remote File Download via PowerShell
editIdentifies powershell.exe being used to download an executable file from an untrusted remote destination.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Command and Control
Version: 1
Added (Elastic Stack release): 7.11.0
Rule authors: Elastic
Rule license: Elastic License
Rule query
editsequence by host.id, process.entity_id with maxspan=30s [network
where process.name : "powershell.exe" and network.protocol == "dns"
and not dns.question.name : ("localhost", "*.microsoft.com",
"*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com",
"metadata.google.internal") and not user.domain : "NT AUTHORITY"]
[file where process.name : "powershell.exe" and event.type ==
"creation" and file.extension : ("exe", "dll", "ps1", "bat") and
not file.name : "__PSScriptPolicy*.ps1"]
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/