Suspicious PowerShell Download

 1title: Suspicious PowerShell Download
 2id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
 3related:
 4    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
 5      type: derived
 6status: test
 7description: Detects suspicious PowerShell download command
 8references:
 9    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
10author: Florian Roth (Nextron Systems)
11date: 2017-03-05
12modified: 2023-10-27
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    product: windows
18    category: ps_classic_start
19detection:
20    selection_webclient:
21        Data|contains: 'Net.WebClient'
22    selection_download:
23        Data|contains:
24            - '.DownloadFile('
25            - '.DownloadString('
26    condition: all of selection_*
27falsepositives:
28    - PowerShell scripts that download content from the Internet
29level: medium

References

• LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

  

  Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint

  
  Read More

Related rules

• AWS EC2 Startup Shell Script Change
• Alternate PowerShell Hosts - PowerShell Module
• Bad Opsec Powershell Code Artifacts
• BloodHound Collection Files
• Certificate Exported Via PowerShell