Usage Of Web Request Commands And Cmdlets

calendar May 15, 2023 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Sigma rule (View on GitHub)

 1title: Usage Of Web Request Commands And Cmdlets
 2id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
 3related:
 4    - id: 1139d2e2-84b1-4226-b445-354492eba8ba
 5      type: similar
 6    - id: f67dbfce-93bc-440d-86ad-a95ae8858c90
 7      type: obsoletes
 8    - id: cd5c8085-4070-4e22-908d-a5b3342deb74
 9      type: obsoletes
10status: test
11description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
12references:
13    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
14    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
15    - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
16author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
17date: 2019/10/24
18modified: 2023/01/10
19tags:
20    - attack.execution
21    - attack.t1059.001
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        CommandLine|contains:
28            - '[System.Net.WebRequest]::create'
29            - 'curl '
30            - 'Invoke-RestMethod'
31            - 'Invoke-WebRequest'
32            - 'iwr '
33            - 'Net.WebClient'
34            - 'Resume-BitsTransfer'
35            - 'Start-BitsTransfer'
36            - 'wget '
37            - 'WinHttp.WinHttpRequest'
38    condition: selection
39falsepositives:
40    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
41level: medium

References

Related rules

to-top