Suspicious Invoke-WebRequest Execution

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

Sigma rule (View on GitHub)

 1title: Suspicious Invoke-WebRequest Execution
 2id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
 3related:
 4    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
 5      type: derived
 6status: test
 7description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
 8references:
 9    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-08-02
12modified: 2025-07-18
13tags:
14    - attack.command-and-control
15    - attack.t1105
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\powershell_ise.exe'
23              - '\powershell.exe'
24              - '\pwsh.exe'
25        - OriginalFileName:
26              - 'powershell_ise.EXE'
27              - 'PowerShell.EXE'
28              - 'pwsh.dll'
29    selection_commands:
30        CommandLine|contains:
31            # These are all aliases of Invoke-WebRequest
32            - 'curl '
33            - 'Invoke-WebRequest'
34            - 'iwr '
35            - 'wget '
36    selection_flags:
37        CommandLine|contains:
38            - ' -ur'
39            - ' -o'
40    selection_susp_locations:
41        CommandLine|contains:
42            - '\AppData\'
43            - '\Desktop\'
44            - '\Temp\'
45            - '\Users\Public\'
46            - '%AppData%'
47            - '%Public%'
48            - '%Temp%'
49            - '%tmp%'
50            - ':\Windows\'
51    condition: all of selection_*
52falsepositives:
53    - Unknown
54level: high

References

Related rules

to-top