2022-01-08 09:17:56 +01:00
|
|
|
title: Windows PowerShell Upload Web Request
|
|
|
|
|
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
|
|
|
|
|
references:
|
2022-07-11 14:11:53 +01:00
|
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
|
2022-01-08 09:17:56 +01:00
|
|
|
- https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
|
|
|
|
|
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
|
|
|
|
|
author: frack113
|
|
|
|
|
date: 2022/01/07
|
2023-01-02 14:49:45 +01:00
|
|
|
modified: 2023/01/02
|
2022-10-26 09:43:39 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.exfiltration
|
|
|
|
|
- attack.t1020
|
2022-01-08 09:17:56 +01:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
category: ps_script
|
2022-07-07 19:13:01 +01:00
|
|
|
definition: Script block logging must be enabled
|
2022-01-08 09:17:56 +01:00
|
|
|
detection:
|
|
|
|
|
selection_cmdlet:
|
|
|
|
|
ScriptBlockText|contains:
|
|
|
|
|
- 'Invoke-WebRequest'
|
|
|
|
|
- 'iwr '
|
2023-01-02 14:49:45 +01:00
|
|
|
selection_flag:
|
2022-01-08 09:17:56 +01:00
|
|
|
ScriptBlockText|contains: '-Method '
|
|
|
|
|
selection_verb:
|
2023-01-02 14:49:45 +01:00
|
|
|
ScriptBlockText|contains:
|
|
|
|
|
- ' Put '
|
|
|
|
|
- ' Post '
|
2022-01-08 09:17:56 +01:00
|
|
|
condition: all of selection_*
|
|
|
|
|
falsepositives:
|
2022-03-16 14:39:23 +01:00
|
|
|
- Legitimate script
|
2022-01-08 09:17:56 +01:00
|
|
|
level: medium
|
