Usage Of Web Request Commands And Cmdlets

 1title: Usage Of Web Request Commands And Cmdlets
 2id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
 3related:
 4    - id: 1139d2e2-84b1-4226-b445-354492eba8ba
 5      type: similar
 6    - id: f67dbfce-93bc-440d-86ad-a95ae8858c90
 7      type: obsolete
 8    - id: cd5c8085-4070-4e22-908d-a5b3342deb74
 9      type: obsolete
10    - id: 6e897651-f157-4d8f-aaeb-df8151488385
11      type: obsolete
12status: test
13description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
14references:
15    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
16    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
17    - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
18author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
19date: 2019-10-24
20modified: 2025-07-18
21tags:
22    - attack.execution
23    - attack.t1059.001
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection:
29        CommandLine|contains:
30            - '[System.Net.WebRequest]::create'
31            - 'curl '
32            - 'Invoke-RestMethod'
33            - 'Invoke-WebRequest'
34            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
35            - 'iwr '
36            - 'Net.WebClient'
37            - 'Resume-BitsTransfer'
38            - 'Start-BitsTransfer'
39            - 'wget '
40            - 'WinHttp.WinHttpRequest'
41    condition: selection
42falsepositives:
43    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
44level: medium

References

• https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/

  
  Read More

• 3 ways to download files with PowerShell

  

  undefined

  
  Read More

• Add-BitsFile (BitsTransfer)

  

  Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.

  
  Read More

Related rules

• Potential DLL File Download Via PowerShell Invoke-WebRequest
• Potential Data Exfiltration Activity Via CommandLine Tools
• Usage Of Web Request Commands And Cmdlets - ScriptBlock
• Malicious PowerShell Commandlets - PoshModule
• Malicious PowerShell Commandlets - ProcessCreation