security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules

Browse Source 
remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution - add powershell_ise
update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
2025-07-28 17:17:57 +05:45
committed by GitHub
parent af492dc0f6
commit 1e41c5378e
12 changed files with 52 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml
+9 -3
View File
@@ -8,7 +8,7 @@ references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
author: frack113
date: 2022-01-07
modified: 2023-05-04
modified: 2025-07-18
tags:
- attack.exfiltration
- attack.t1020
@@ -19,12 +19,18 @@ logsource:
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
selection_flag:
ScriptBlockText|contains:
- '-Method Put'
- '-Method Post'
- '-Method "POST"'
- '-Method "PUT"'
- '-Method POST'
- '-Method PUT'
- "-Method 'POST'"
- "-Method 'PUT'"
condition: all of selection_*
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
+9 -5
View File
@@ -8,7 +8,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
author: frack113
date: 2022-01-23
modified: 2023-01-02
modified: 2025-07-18
tags:
- attack.command-and-control
- attack.t1071.001
@@ -17,11 +17,15 @@ logsource:
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
selection_webrequest:
ScriptBlockText|contains:
- 'Invoke-WebRequest'
- '-UserAgent '
condition: selection
- 'Invoke-RestMethod'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a variable
- 'iwr '
selection_useragent:
ScriptBlockText|contains: '-UserAgent '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml
+2 -1
View File
@@ -10,7 +10,7 @@ references:
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
author: James Pemberton / @4A616D6573
date: 2019-10-24
modified: 2023-01-10
modified: 2025-07-18
tags:
- attack.execution
- attack.t1059.001
@@ -25,6 +25,7 @@ detection:
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
- 'Net.WebClient'
- 'Resume-BitsTransfer'