PowerShell DownloadFile
Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
Sigma rule (View on GitHub)
1title: PowerShell DownloadFile
2id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
3status: test
4description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
5references:
6 - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
7author: Florian Roth (Nextron Systems)
8date: 2020/08/28
9modified: 2021/11/27
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - attack.command_and_control
14 - attack.t1104
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'powershell'
23 - '.DownloadFile'
24 - 'System.Net.WebClient'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Mandiant has observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central.
Read More
Related rules
- HackTool - Covenant PowerShell Launcher
- HackTool - Empire PowerShell Launch Parameters
- Hidden Powershell in Link File Pattern
- MsiExec Web Install
- Potential PowerShell Obfuscation Via WCHAR