Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Sigma rule (View on GitHub)
1title: Usage Of Web Request Commands And Cmdlets
2id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
3related:
4 - id: 1139d2e2-84b1-4226-b445-354492eba8ba
5 type: similar
6 - id: f67dbfce-93bc-440d-86ad-a95ae8858c90
7 type: obsoletes
8 - id: cd5c8085-4070-4e22-908d-a5b3342deb74
9 type: obsoletes
10status: test
11description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
12references:
13 - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
14 - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
15 - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
16author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
17date: 2019/10/24
18modified: 2023/01/10
19tags:
20 - attack.execution
21 - attack.t1059.001
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection:
27 CommandLine|contains:
28 - '[System.Net.WebRequest]::create'
29 - 'curl '
30 - 'Invoke-RestMethod'
31 - 'Invoke-WebRequest'
32 - 'iwr '
33 - 'Net.WebClient'
34 - 'Resume-BitsTransfer'
35 - 'Start-BitsTransfer'
36 - 'wget '
37 - 'WinHttp.WinHttpRequest'
38 condition: selection
39falsepositives:
40 - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
41level: medium
References
Related rules
- Alternate PowerShell Hosts - PowerShell Module
- Powershell Base64 Encoding (RedCanary Threat Detection Report)
- Powershell Encoded Command Switch (RedCanary Threat Detection Report)
- Powershell Obfuscated Commands (RedCanary Threat Detection Report)
- Suspicious Powershell Commandlets (RedCanary Threat Detection Report)