Potential DLL File Download Via PowerShell Invoke-WebRequest
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
Sigma rule (View on GitHub)
1title: Potential DLL File Download Via PowerShell Invoke-WebRequest
2id: 0f0450f3-8b47-441e-a31b-15a91dc243e2
3status: test
4description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
5references:
6 - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
7author: Florian Roth (Nextron Systems), Hieu Tran
8date: 2023-03-13
9modified: 2025-07-18
10tags:
11 - attack.command-and-control
12 - attack.execution
13 - attack.t1059.001
14 - attack.t1105
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 CommandLine|contains:
21 - 'Invoke-RestMethod '
22 - 'Invoke-WebRequest '
23 - 'IRM '
24 - 'IWR '
25 CommandLine|contains|all:
26 - 'http'
27 - 'OutFile'
28 - '.dll'
29 condition: selection
30falsepositives:
31 - Unknown
32level: medium
References
Related rules
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Command Line Execution with Suspicious URL and AppData Strings
- Greenbug Espionage Group Indicators
- PowerShell DownloadFile
- Suspicious Deno File Written from Remote Source