Suspicious Invoke-WebRequest Execution With DirectIP

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

Sigma rule (View on GitHub)

 1title: Suspicious Invoke-WebRequest Execution With DirectIP
 2id: 1edff897-9146-48d2-9066-52e8d8f80a2f
 3status: test
 4description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
 5references:
 6    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/21
 9tags:
10    - attack.command_and_control
11    - attack.t1105
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith:
18              - '\powershell.exe'
19              - '\pwsh.exe'
20        - OriginalFileName:
21              - 'PowerShell.EXE'
22              - 'pwsh.dll'
23    selection_commands:
24        CommandLine|contains:
25            # These are all aliases of Invoke-WebRequest
26            - 'curl '
27            - 'Invoke-WebRequest'
28            - 'iwr '
29            - 'wget '
30    selection_ip:
31        # In case of FP with local IPs add additional filters
32        CommandLine|contains:
33            - '://1'
34            - '://2'
35            - '://3'
36            - '://4'
37            - '://5'
38            - '://6'
39            - '://7'
40            - '://8'
41            - '://9'
42    condition: all of selection_*
43falsepositives:
44    - Unknown
45level: medium

References

Related rules

to-top