Suspicious PowerShell Download - PoshModule

 1title: Suspicious PowerShell Download - PoshModule
 2id: de41232e-12e8-49fa-86bc-c05c7e722df9
 3related:
 4    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
 5      type: derived
 6status: test
 7description: Detects suspicious PowerShell download command
 8references:
 9    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
10    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
11author: Florian Roth (Nextron Systems)
12date: 2017-03-05
13modified: 2023-01-20
14tags:
15    - attack.execution
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: ps_module
20    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
21detection:
22    selection_webclient_:
23        ContextInfo|contains: 'System.Net.WebClient'
24    selection_function:
25        ContextInfo|contains:
26            - '.DownloadFile('
27            - '.DownloadString('
28    condition: all of selection_*
29falsepositives:
30    - PowerShell scripts that download content from the Internet
31level: medium

References

• WebClient.DownloadFile Method (System.Net)

  

  Downloads the resource with the specified URI to a local file.

  
  Read More

• WebClient.DownloadString Method (System.Net)

  

  Downloads the requested resource as a String. The resource to download may be specified as either String containing the URI or a Uri.

  
  Read More

Related rules

• AWS EC2 Startup Shell Script Change
• Alternate PowerShell Hosts - PowerShell Module
• Bad Opsec Powershell Code Artifacts
• BloodHound Collection Files
• Certificate Exported Via PowerShell