Windows PowerShell User Agent
Detects Windows PowerShell Web Access
Sigma rule (View on GitHub)
1title: Windows PowerShell User Agent
2id: c8557060-9221-4448-8794-96320e6f3e74
3status: test
4description: Detects Windows PowerShell Web Access
5references:
6 - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
7author: Florian Roth (Nextron Systems)
8date: 2017-03-13
9modified: 2021-11-27
10tags:
11 - attack.defense-evasion
12 - attack.command-and-control
13 - attack.t1071.001
14logsource:
15 category: proxy
16detection:
17 selection:
18 c-useragent|contains: ' WindowsPowerShell/'
19 condition: selection
20falsepositives:
21 - Administrative scripts that download files from the Internet
22 - Administrative scripts that retrieve certain website contents
23level: medium
References
-
The Invoke-WebRequest cmdlet sends HTTP and HTTPS requests to a web page or web service. It parses the response and returns collections of links, images, and other significant HTML elements. This cmdlet was introduced in PowerShell 3.0. Beginning in PowerShell 7.0, Invoke-WebRequest supports proxy configuration defined by environment variables. See the Notes section of this article. Important The examples in this article reference hosts in the contoso.com domain. This is a fictitious domain used by Microsoft for examples. The examples are designed to show how to use the cmdlets. However, since the contoso.com sites don't exist, the examples don't work. Adapt the examples to hosts in your environment. Beginning in PowerShell 7.4, character encoding for requests defaults to UTF-8 instead of ASCII. If you need a different encoding, you must set the charset attribute in the Content-Type header.
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- HTTP Request With Empty User Agent
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy