Suspicious PowerShell Download - Powershell Script
Detects suspicious PowerShell download command
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Download - Powershell Script
2id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
3related:
4 - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
5 type: derived
6status: test
7description: Detects suspicious PowerShell download command
8references:
9 - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
10 - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
11author: Florian Roth (Nextron Systems)
12date: 2017-03-05
13modified: 2022-12-02
14tags:
15 - attack.execution
16 - attack.t1059.001
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 webclient:
23 ScriptBlockText|contains: 'System.Net.WebClient'
24 download:
25 ScriptBlockText|contains:
26 - '.DownloadFile('
27 - '.DownloadFileAsync('
28 - '.DownloadString('
29 - '.DownloadStringAsync('
30 condition: webclient and download
31falsepositives:
32 - PowerShell scripts that download content from the Internet
33level: medium
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files