Remote File Download via PowerShell

Attackers frequently use PowerShell, a legitimate administration tool, to download malicious payloads into compromised systems. This technique allows them to bypass traditional security measures by leveraging a trusted tool. This activity often occurs during the command and control phase, where attackers introduce additional tooling or malware for further exploitation. This rule identifies instances where PowerShell downloads executable and script files from untrusted remote destinations. It does this by correlating network and file events, specifically looking for PowerShell processes initiating network connections to non-whitelisted domains followed by the creation of executable or script files. The rule helps defenders identify and respond to potential command and control activity and malware deployment attempts.

Attack Chain

1. An attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.
2. The attacker uses PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to initiate a network connection to a remote domain.
3. The DNS request is made to a domain not in the allowed list (e.g., not *.microsoft.com, *.azureedge.net, etc.).
4. PowerShell downloads a file with an executable extension (e.g., .exe, .dll, .ps1, .bat) or a file with a MZ header.
5. The downloaded file is saved to disk.
6. The file is saved to a location that is not excluded by the rule, filtering out commonly used temporary directories.
7. The downloaded executable or script is then executed, leading to further malicious activities.
8. The attacker achieves persistence, lateral movement, or data exfiltration depending on the downloaded payload.

Impact

A successful attack can lead to the introduction of malware, backdoors, or other malicious tools into the compromised system. This can enable attackers to perform a wide range of malicious activities, including data theft, system compromise, and further propagation within the network. The compromised system can become a beachhead for further attacks, potentially impacting numerous systems and leading to significant financial and reputational damage.

Recommendation

• Deploy the Sigma rule PowerShell Remote File Download to detect PowerShell processes downloading executable files from untrusted remote destinations by correlating network and file creation events.
• Enable Elastic Defend to provide the necessary network and file event data for the rule to function correctly as noted in the setup instructions.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process of the PowerShell process, the reputation of the downloaded file, and any other suspicious activities on the affected host, as per the investigation guide in the rule’s note field.
• Review and customize the whitelisted domains in the Sigma rule to match your organization’s specific environment and trusted external resources, as described in the query field.
• Block the identified malicious domains or IP addresses at the network perimeter to prevent further downloads.