PowerShell Web Download
Detects suspicious ways to download files or content using PowerShell
Sigma rule (View on GitHub)
1title: PowerShell Web Download
2id: 6e897651-f157-4d8f-aaeb-df8151488385
3status: test
4description: Detects suspicious ways to download files or content using PowerShell
5references:
6 - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
7author: Florian Roth (Nextron Systems)
8date: 2022/03/24
9modified: 2023/01/05
10tags:
11 - attack.command_and_control
12 - attack.execution
13 - attack.t1059.001
14 - attack.t1105
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 CommandLine|contains:
21 - '.DownloadString('
22 - '.DownloadFile('
23 - 'Invoke-WebRequest '
24 - 'iwr '
25 condition: selection
26falsepositives:
27 - Scripts or tools that download files
28level: medium
References
-
This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections. - VirtualAlllocEx/...
Read More
Related rules
- Greenbug Espionage Group Indicators
- Command Line Execution with Suspicious URL and AppData Strings
- PowerShell DownloadFile
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- File Download From IP Based URL Via CertOC.EXE