OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

Suspicious PowerShell Download Cradle Activity

Endpoint Security Validation
Detection Rule Validation

概要

Suspicious PowerShell Download Cradle Activity

🧪 Injects Included in This Scenario

The scenario is composed of five Atomic Red Team payloads, each representing a distinct but related download-and-execute pattern:

1️⃣ Run BloodHound from Memory using Download Cradle (PowerShell) 🧠 Executes BloodHound directly in memory using a PowerShell download cradle (IEX + DownloadString), without touching disk.

2️⃣ Invoke mshta.exe Download (PowerShell) 📥 Uses PowerShell to invoke mshta.exe for remote script execution, a well-known Living-off-the-Land technique.

3️⃣ PowerShell XML Requests 🌐 Leverages PowerShell web/XML request capabilities to retrieve remote content over HTTP/S.

4️⃣ PowerShell MsXml COM Object – With Prompt 🧩 Abuses the MSXML2.XMLHTTP COM object to download external payloads, bypassing common PowerShell cmdlet-based detections.

5️⃣ PowerShell Fileless Script Execution ⚡ Executes remote PowerShell code entirely in memory, leaving minimal forensic artifacts on disk.

🧠 MITRE ATT&CK Mapping

Primary Technique: T1059.001 – Command and Scripting Interpreter: PowerShell

Supporting Techniques:

  • T1105 – Ingress Tool Transfer-
  • T1027 – Obfuscated Files or Information-
  • T1071.001 – Web Protocols

🛡️ How OpenAev Validates Detection 🧪

OpenAev enables defenders to validate and strengthen detection logic against these attack patterns by:

✅ Simulating realistic attacker tradecraft using Atomic Red Team payloads ✅ Triggering PowerShell telemetry (ScriptBlock, command line, AMSI, process lineage) ✅ Correlating behaviors across execution, network, and process activity ✅ Identifying detection gaps around fileless and LOLBins-based techniques ✅ Providing repeatable, safe validation of SOC and EDR detection rules

💡 This allows security teams to confirm that alerts trigger where expected, and to tune detections for high-risk PowerShell download cradle activity without relying on real malware.

基本情報

Filigran
Sébastien Miguel
2026年7月01日
2.0.14
80+
2

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。