rules/windows/powershell/powershell_suspicious_download.yml

action: global
title: Suspicious PowerShell Download
status: experimental
description: Detects suspicious PowerShell download command
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
author: Florian Roth
date: 2017/03/05
modified: 2021/07/20
falsepositives:
    - PowerShell scripts that download content from the Internet
level: medium
---
id: 65531a81-a694-4e31-ae04-f8ba5bc33759
logsource:
    product: windows
    service: powershell
detection:
    webclient:
        - 'System.Net.WebClient'
    download:
        - '.DownloadFile('
        - '.DownloadString('
    condition: webclient and download
---
id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
logsource:
    product: windows
    service: powershell-classic
    definition: fields have to be extract from event
detection:
    downloadfile:
        EventID: 400 #  get 400 ,403 and 600 for 1 execution
        HostApplication|contains|all:
            - 'System.Net.WebClient'
            - '.DownloadFile('
    downloadstring:
        EventID: 400
        HostApplication|contains|all:
            - 'System.Net.WebClient'
            - '.DownloadString('
    condition: downloadfile or downloadstring
$frack113$ update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00			`action: global`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`title: Suspicious PowerShell Download`
			`status: experimental`
			`description: Detects suspicious PowerShell download command`
Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00			`tags:`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 #an old one`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`author: Florian Roth`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2017/03/05`
$frack113$ update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00			`modified: 2021/07/20`
			`falsepositives:`
			`- PowerShell scripts that download content from the Internet`
			`level: medium`
			`---`
$frack113$ move uuid from global 2021-09-02 16:05:05 +02:00			`id: 65531a81-a694-4e31-ae04-f8ba5bc33759`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00			`product: windows`
			`service: powershell`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`detection:`
fix: Correct incorrect message / keyword usage 2021-08-12 14:03:18 +02:00			`webclient:`
			`- 'System.Net.WebClient'`
			`download:`
			`- '.DownloadFile('`
			`- '.DownloadString('`
			`condition: webclient and download`
$frack113$ update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00			`---`
$frack113$ move uuid from global 2021-09-02 16:05:05 +02:00			`id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d`
$frack113$ update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00			`logsource:`
			`product: windows`
			`service: powershell-classic`
$frack113$ add definition to powershell-classic 2021-08-16 12:56:24 +02:00			`definition: fields have to be extract from event`
$frack113$ update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00			`detection:`
			`downloadfile:`
			`EventID: 400 # get 400 ,403 and 600 for 1 execution`
			`HostApplication\|contains\|all:`
			`- 'System.Net.WebClient'`
			`- '.DownloadFile('`
			`downloadstring:`
$frack113$ fix case EventID 2021-07-20 16:26:13 +02:00			`EventID: 400`
$frack113$ update powershell_suspicious_download.yml 2021-07-20 16:12:24 +02:00			`HostApplication\|contains\|all:`
			`- 'System.Net.WebClient'`
			`- '.DownloadString('`
			`condition: downloadfile or downloadstring`