PowerShell Script With File Upload Capabilities

 1title: PowerShell Script With File Upload Capabilities
 2id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
 3status: test
 4description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
 7    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
 8    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
 9author: frack113
10date: 2022-01-07
11modified: 2025-07-18
12tags:
13    - attack.exfiltration
14    - attack.t1020
15logsource:
16    product: windows
17    category: ps_script
18    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
19detection:
20    selection_cmdlet:
21        ScriptBlockText|contains:
22            - 'Invoke-RestMethod'
23            - 'Invoke-WebRequest'
24            - 'irm '
25            - 'iwr '
26    selection_flag:
27        ScriptBlockText|contains:
28            - '-Method "POST"'
29            - '-Method "PUT"'
30            - '-Method POST'
31            - '-Method PUT'
32            - "-Method 'POST'"
33            - "-Method 'PUT'"
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: low

References

• atomic-red-team/atomics/T1020/T1020.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• HTTP/1.1: Method Definitions

  part of Hypertext Transfer Protocol -- HTTP/1.1 RFC 2616 Fielding, et al. 9 Method Definitions The set of common methods for HTTP/1.1 is defined below. Although this set can be expanded, additional...

  
  Read More

• Invoke-WebRequest (Microsoft.PowerShell.Utility) - PowerShell

  

  The Invoke-WebRequest cmdlet sends HTTP and HTTPS requests to a web page or web service. It parses the response and returns collections of links, images, and other significant HTML elements. This cmdlet was introduced in PowerShell 3.0. Beginning in PowerShell 7.0, Invoke-WebRequest supports proxy configuration defined by environment variables. See the Notes section of this article. Important The examples in this article reference hosts in the contoso.com domain. This is a fictitious domain used by Microsoft for examples. The examples are designed to show how to use the cmdlets. However, since the contoso.com sites don't exist, the examples don't work. Adapt the examples to hosts in your environment. Beginning in PowerShell 7.4, character encoding for requests defaults to UTF-8 instead of ASCII. If you need a different encoding, you must set the charset attribute in the Content-Type header.

  
  Read More

Related rules

• Github Fork Private Repositories Setting Enabled/Cleared
• Github Repository/Organization Transferred
• Modification or Deletion of an AWS RDS Cluster
• AWS RDS Master Password Change
• PowerShell Script With File Hostname Resolving Capabilities