AiSOC · free tools

Plain English → Sigma

Describe the behaviour you want to detect and get a Sigma rule plus Splunk SPL, Sentinel KQL, and Elastic ES|QL. A deterministic scaffold generated in your browser — a starting point you refine, not a black box.

Sigma
title: Detect powershell.exe launching with a download cradle (DownloadString
status: experimental
description: Detect powershell.exe launching with a download cradle (DownloadString or IEX), MITRE T1059.001
tags:
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
    CommandLine|contains:
      - 'download'
      - 'iex'
  condition: selection
falsepositives:
  - Legitimate administrative activity
level: medium
Splunk SPL
index=* sourcetype=WinEventLog
| search title: Detect powershell.exe launching with a download cradle (DownloadString
status: experimental
description: Detect powershell.exe launching with a download cradle (DownloadString or IEX), MITRE T1059.001
tags:
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    process_name|endswith:
      - '\powershell.exe'
    process_path|contains:
      - 'download'
      - 'iex'
  condition: selection
falsepositives:
  - Legitimate administrative activity
level: medium
Microsoft Sentinel KQL
SecurityEvent
| where title: Detect powershell.exe launching with a download cradle (DownloadString
status: experimental
description: Detect powershell.exe launching with a download cradle (DownloadString or IEX), MITRE T1059.001
tags:
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    NewProcessName|endswith:
      - '\powershell.exe'
    CommandLine|contains:
      - 'download'
      - 'iex'
  condition: selection
falsepositives:
  - Legitimate administrative activity
level: medium
Elastic ES|QL
FROM logs-*
| WHERE title: Detect powershell.exe launching with a download cradle (DownloadString
status: experimental
description: Detect powershell.exe launching with a download cradle (DownloadString or IEX), MITRE T1059.001
tags:
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    process.executable|endswith:
      - '\powershell.exe'
    process.command_line|contains:
      - 'download'
      - 'iex'
  condition: selection
falsepositives:
  - Legitimate administrative activity
level: medium

Deterministic scaffold generated in your browser — a starting point, not a finished detection. Refine the selection and false positives before deploying.