Windows PowerShell User Agent
Detects Windows PowerShell Web Access
Sigma rule (View on GitHub)
1title: Windows PowerShell User Agent
2id: c8557060-9221-4448-8794-96320e6f3e74
3status: test
4description: Detects Windows PowerShell Web Access
5references:
6 - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
7author: Florian Roth (Nextron Systems)
8date: 2017-03-13
9modified: 2021-11-27
10tags:
11 - attack.command-and-control
12 - attack.t1071.001
13logsource:
14 category: proxy
15detection:
16 selection:
17 c-useragent|contains: ' WindowsPowerShell/'
18 condition: selection
19falsepositives:
20 - Administrative scripts that download files from the Internet
21 - Administrative scripts that retrieve certain website contents
22level: medium
References
-
The Invoke-WebRequest cmdlet sends HTTP and HTTPS requests to a web page or web service. It parses the response and returns collections of links, images, and other significant HTML elements. This cmdlet was introduced in PowerShell 3.0. Beginning in PowerShell 7.0, Invoke-WebRequest supports proxy configuration defined by environment variables. See the Notes section of this article. Important The examples in this article reference hosts in the contoso.com domain. This is a fictitious domain used by Microsoft for examples. The examples are designed to show how to use the cmdlets. However, since the contoso.com sites don't exist, the examples don't work. Adapt the examples to hosts in your environment. Beginning in PowerShell 7.4, character encoding for requests defaults to UTF-8 instead of ASCII. If you need a different encoding, you must set the charset attribute in the Content-Type header. By default, the HTTP request includes default values for the following HTTP headers: Accept-Encoding Host User-Agent Use the Headers parameter to add other headers or override the default values.
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- HTTP Request With Empty User Agent
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy