Suspicious Invoke-WebRequest Execution With DirectIP

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

Sigma rule (View on GitHub)

 1title: Suspicious Invoke-WebRequest Execution With DirectIP
 2id: 1edff897-9146-48d2-9066-52e8d8f80a2f
 3status: test
 4description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
 5references:
 6    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-04-21
 9tags:
10    - attack.command-and-control
11    - attack.t1105
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith:
18              - '\powershell_ise.exe'
19              - '\powershell.exe'
20              - '\pwsh.exe'
21        - OriginalFileName:
22              - 'powershell_ise.EXE'
23              - 'PowerShell.EXE'
24              - 'pwsh.dll'
25    selection_commands:
26        CommandLine|contains:
27            # These are all aliases of Invoke-WebRequest
28            - 'curl '
29            - 'Invoke-RestMethod'
30            - 'Invoke-WebRequest'
31            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
32            - 'iwr '
33            - 'wget '
34    selection_ip:
35        # In case of FP with local IPs add additional filters
36        CommandLine|contains:
37            - '://1'
38            - '://2'
39            - '://3'
40            - '://4'
41            - '://5'
42            - '://6'
43            - '://7'
44            - '://8'
45            - '://9'
46    condition: all of selection_*
47falsepositives:
48    - Unknown
49level: medium

References

Related rules

to-top