Usage Of Web Request Commands And Cmdlets

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Sigma rule (View on GitHub)

 1title: Usage Of Web Request Commands And Cmdlets
 2id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
 3related:
 4    - id: 1139d2e2-84b1-4226-b445-354492eba8ba
 5      type: similar
 6    - id: f67dbfce-93bc-440d-86ad-a95ae8858c90
 7      type: obsolete
 8    - id: cd5c8085-4070-4e22-908d-a5b3342deb74
 9      type: obsolete
10status: test
11description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
12references:
13    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
14    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
15    - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
16author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
17date: 2019-10-24
18modified: 2023-01-10
19tags:
20    - attack.execution
21    - attack.t1059.001
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        CommandLine|contains:
28            - '[System.Net.WebRequest]::create'
29            - 'curl '
30            - 'Invoke-RestMethod'
31            - 'Invoke-WebRequest'
32            - 'iwr '
33            - 'Net.WebClient'
34            - 'Resume-BitsTransfer'
35            - 'Start-BitsTransfer'
36            - 'wget '
37            - 'WinHttp.WinHttpRequest'
38    condition: selection
39falsepositives:
40    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
41level: medium

References

Related rules

to-top