Suspicious Invoke-WebRequest Execution
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
Sigma rule (View on GitHub)
1title: Suspicious Invoke-WebRequest Execution
2id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
3related:
4 - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
5 type: derived
6status: test
7description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
8references:
9 - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-08-02
12modified: 2025-07-18
13tags:
14 - attack.command-and-control
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\powershell_ise.exe'
23 - '\powershell.exe'
24 - '\pwsh.exe'
25 - OriginalFileName:
26 - 'powershell_ise.EXE'
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 selection_commands:
30 CommandLine|contains:
31 # These are all aliases of Invoke-WebRequest
32 - 'curl '
33 - 'Invoke-WebRequest'
34 - 'iwr '
35 - 'wget '
36 selection_flags:
37 CommandLine|contains:
38 - ' -ur'
39 - ' -o'
40 selection_susp_locations:
41 CommandLine|contains:
42 - '\AppData\'
43 - '\Desktop\'
44 - '\Temp\'
45 - '\Users\Public\'
46 - '%AppData%'
47 - '%Public%'
48 - '%Temp%'
49 - '%tmp%'
50 - ':\Windows\'
51 condition: all of selection_*
52falsepositives:
53 - Unknown
54level: high
References
-
LockBit ransomware finds a new way to evade security controls by leveraging a Windows Defender command line tool.
Read More
Related rules
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Suspicious Invoke-WebRequest Execution With DirectIP
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Suspicious Download from Office Domain