PowerShell Script With File Upload Capabilities

calendar Aug 12, 2024 · attack.exfiltration attack.t1020  ·
Share on: linkedin copy

Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.

Sigma rule (View on GitHub)

 1title: PowerShell Script With File Upload Capabilities
 2id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
 3status: test
 4description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
 7    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
 8    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
 9author: frack113
10date: 2022-01-07
11modified: 2023-05-04
12tags:
13    - attack.exfiltration
14    - attack.t1020
15logsource:
16    product: windows
17    category: ps_script
18    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
19detection:
20    selection_cmdlet:
21        ScriptBlockText|contains:
22            - 'Invoke-WebRequest'
23            - 'iwr '
24    selection_flag:
25        ScriptBlockText|contains:
26            - '-Method Put'
27            - '-Method Post'
28    condition: all of selection_*
29falsepositives:
30    - Unknown
31level: low

References

  • atomic-red-team/atomics/T1020/T1020.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

    Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team


    Read More

  • HTTP/1.1: Method Definitions

    part of Hypertext Transfer Protocol -- HTTP/1.1 RFC 2616 Fielding, et al. 9 Method Definitions The set of common methods for HTTP/1.1 is defined below. Although this set can be expanded, additional...


    Read More

  • Invoke-WebRequest (Microsoft.PowerShell.Utility) - PowerShell

    The Invoke-WebRequest cmdlet sends HTTP and HTTPS requests to a web page or web service. It parses the response and returns collections of links, images, and other significant HTML elements. This cmdlet was introduced in PowerShell 3.0. Beginning in PowerShell 7.0, Invoke-WebRequest supports proxy configuration defined by environment variables. See the Notes section of this article. Important The examples in this article reference hosts in the contoso.com domain. This is a fictitious domain used by Microsoft for examples. The examples are designed to show how to use the cmdlets. However, since the contoso.com sites don't exist, the examples don't work. Adapt the examples to hosts in your environment. Beginning in PowerShell 7.4, character encoding for requests defaults to UTF-8 instead of ASCII. If you need a different encoding, you must set the charset attribute in the Content-Type header.


    Read More

Related rules

to-top