Suspicious PowerShell Download - Powershell Script

 1title: Suspicious PowerShell Download - Powershell Script
 2id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
 3related:
 4    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
 5      type: derived
 6status: test
 7description: Detects suspicious PowerShell download command
 8references:
 9    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
10    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
11author: Florian Roth (Nextron Systems)
12date: 2017-03-05
13modified: 2022-12-02
14tags:
15    - attack.execution
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    webclient:
23        ScriptBlockText|contains: 'System.Net.WebClient'
24    download:
25        ScriptBlockText|contains:
26            - '.DownloadFile('
27            - '.DownloadFileAsync('
28            - '.DownloadString('
29            - '.DownloadStringAsync('
30    condition: webclient and download
31falsepositives:
32    - PowerShell scripts that download content from the Internet
33level: medium

References

• WebClient.DownloadString Method (System.Net)

  

  Downloads the requested resource as a String. The resource to download may be specified as either String containing the URI or a Uri.

  
  Read More

• WebClient.DownloadFile Method (System.Net)

  

  Downloads the resource with the specified URI to a local file.

  
  Read More

Related rules

• AWS EC2 Startup Shell Script Change
• Alternate PowerShell Hosts - PowerShell Module
• Bad Opsec Powershell Code Artifacts
• BloodHound Collection Files
• Certificate Exported Via PowerShell