Potential DLL File Download Via PowerShell Invoke-WebRequest

 1title: Potential DLL File Download Via PowerShell Invoke-WebRequest
 2id: 0f0450f3-8b47-441e-a31b-15a91dc243e2
 3status: test
 4description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
 5references:
 6    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 7author: Florian Roth (Nextron Systems), Hieu Tran
 8date: 2023/03/13
 9tags:
10    - attack.command_and_control
11    - attack.execution
12    - attack.t1059.001
13    - attack.t1105
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection:
19        CommandLine|contains:
20            - 'Invoke-WebRequest '
21            - 'IWR '
22        CommandLine|contains|all:
23            - 'http'
24            - 'OutFile'
25            - '.dll'
26    condition: selection
27falsepositives:
28    - Unknown
29level: medium

References

• OneNote: A Growing Threat for Malware Distribution

  

  Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.

  
  Read More

Related rules

• PowerShell Web Download
• Greenbug Espionage Group Indicators
• Command Line Execution with Suspicious URL and AppData Strings
• PowerShell DownloadFile
• DarkGate - Autoit3.EXE File Creation By Uncommon Process