Suspicious Invoke-WebRequest Execution
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
Sigma rule (View on GitHub)
1title: Suspicious Invoke-WebRequest Execution
2id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
3related:
4 - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
5 type: derived
6status: experimental
7description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
8references:
9 - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/02
12modified: 2024/02/23
13tags:
14 - attack.command_and_control
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - OriginalFileName:
25 - 'PowerShell.EXE'
26 - 'pwsh.dll'
27 selection_commands:
28 CommandLine|contains:
29 # These are all aliases of Invoke-WebRequest
30 - 'curl '
31 - 'Invoke-WebRequest'
32 - 'iwr '
33 - 'wget '
34 selection_flags:
35 CommandLine|contains:
36 - ' -ur'
37 - ' -o'
38 selection_susp_locations:
39 CommandLine|contains:
40 - '\AppData\'
41 - '\Desktop\'
42 - '\Temp\'
43 - '\Users\Public\'
44 - '%AppData%'
45 - '%Public%'
46 - '%Temp%'
47 - '%tmp%'
48 - ':\Windows\'
49 condition: all of selection_*
50falsepositives:
51 - Unknown
52level: high
References
-
LockBit ransomware finds a new way to evade security controls by leveraging a Windows Defender command line tool.
Read More
Related rules
- Operator Bring Your Own Tools
- Connection Initiated Via Certutil.EXE
- Network Connection Initiated By IMEWDBLD.EXE
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Potential DLL File Download Via PowerShell Invoke-WebRequest