mirror of https://gitlab.com/curben/blog
18 lines
1.2 KiB
Markdown
18 lines
1.2 KiB
Markdown
---
|
|
title: PowerShell Web Downloads (Operational)
|
|
layout: page
|
|
date: 2025-07-27
|
|
---
|
|
|
|
References: [1](https://redcanary.com/blog/intelligence-insights-may-2023/), [2](https://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-Sept-2018-v22.pdf), [3](https://lolbas-project.github.io/lolbas/Binaries/Certutil/), [4](https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/#discovery), [5](https://redcanary.com/blog/threat-intelligence/intelligence-insights-march-2024/)
|
|
SPL:
|
|
|
|
```spl
|
|
index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "XmlWinEventLog:PowerShellCore/Operational") EventCode=4104 ScriptBlockText IN ("*.Download*", "*Net.WebClient*", "*certutil* -urlcache*", "*certutil* -f*", "*certutil* /f*")
|
|
| eval sid_lookup=replace(UserID, "'", "")
|
|
| lookup ad_users objectSid AS sid_lookup OUTPUT sAMAccountName AS Username
|
|
| eval user_lookup=replace(Username,"^(\w+)_admin","\1")
|
|
| lookup ad_users sAMAccountName AS user_lookup OUTPUT displayName AS Name, mail AS Email
|
|
| table _time, host, Path, Computer, ScriptBlockText, Username, Name, Company, Department, Email
|
|
```
|