Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Sigma rule (View on GitHub)
1title: Usage Of Web Request Commands And Cmdlets
2id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
3related:
4 - id: 1139d2e2-84b1-4226-b445-354492eba8ba
5 type: similar
6 - id: f67dbfce-93bc-440d-86ad-a95ae8858c90
7 type: obsolete
8 - id: cd5c8085-4070-4e22-908d-a5b3342deb74
9 type: obsolete
10status: test
11description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
12references:
13 - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
14 - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
15 - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
16author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
17date: 2019-10-24
18modified: 2023-01-10
19tags:
20 - attack.execution
21 - attack.t1059.001
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection:
27 CommandLine|contains:
28 - '[System.Net.WebRequest]::create'
29 - 'curl '
30 - 'Invoke-RestMethod'
31 - 'Invoke-WebRequest'
32 - 'iwr '
33 - 'Net.WebClient'
34 - 'Resume-BitsTransfer'
35 - 'Start-BitsTransfer'
36 - 'wget '
37 - 'WinHttp.WinHttpRequest'
38 condition: selection
39falsepositives:
40 - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
41level: medium
References
-
Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell