Suspicious Invoke-WebRequest Execution With DirectIP
Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
Sigma rule (View on GitHub)
1title: Suspicious Invoke-WebRequest Execution With DirectIP
2id: 1edff897-9146-48d2-9066-52e8d8f80a2f
3status: test
4description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
5references:
6 - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-04-21
9tags:
10 - attack.command-and-control
11 - attack.t1105
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith:
18 - '\powershell_ise.exe'
19 - '\powershell.exe'
20 - '\pwsh.exe'
21 - OriginalFileName:
22 - 'powershell_ise.EXE'
23 - 'PowerShell.EXE'
24 - 'pwsh.dll'
25 selection_commands:
26 CommandLine|contains:
27 # These are all aliases of Invoke-WebRequest
28 - 'curl '
29 - 'Invoke-RestMethod'
30 - 'Invoke-WebRequest'
31 - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
32 - 'iwr '
33 - 'wget '
34 selection_ip:
35 # In case of FP with local IPs add additional filters
36 CommandLine|contains:
37 - '://1'
38 - '://2'
39 - '://3'
40 - '://4'
41 - '://5'
42 - '://6'
43 - '://7'
44 - '://8'
45 - '://9'
46 condition: all of selection_*
47falsepositives:
48 - Unknown
49level: medium
References
-
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Read More
Related rules
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Suspicious Invoke-WebRequest Execution
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Suspicious Download from Office Domain