From 570200b711024bf8dc4e4031a14969eb5180ae32 Mon Sep 17 00:00:00 2001
From: Sanskar Phougat <146339892+Sanskar-bot@users.noreply.github.com>
Date: Tue, 28 Apr 2026 04:00:25 +0530
Subject: [PATCH] Merge PR #5952 from @Sanskar-bot - Update `PowerShell
 Download Via Net.WebClient - PowerShell Classic`

update: PowerShell Download Via Net.WebClient - PowerShell Classic - Reduce level to "low" and update metadata

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 ...load.yml => posh_pc_download_via_webclient.yml} | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 rename rules/windows/powershell/powershell_classic/{posh_pc_susp_download.yml => posh_pc_download_via_webclient.yml} (54%)

diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_download_via_webclient.yml
similarity index 54%
rename from rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
rename to rules/windows/powershell/powershell_classic/posh_pc_download_via_webclient.yml
index 012d059f0..cb92c53cd 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_download_via_webclient.yml
@@ -1,18 +1,22 @@
-title: Suspicious PowerShell Download
+title: PowerShell Download Via Net.WebClient - PowerShell Classic
 id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
 related:
     - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
       type: derived
 status: test
-description: Detects suspicious PowerShell download command
+description: |
+    Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.
+    This technique is often abused by attackers to download additional payloads.
 references:
     - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
 author: Florian Roth (Nextron Systems)
 date: 2017-03-05
-modified: 2023-10-27
+modified: 2026-04-28
 tags:
     - attack.execution
+    - attack.command-and-control
     - attack.t1059.001
+    - attack.t1105
 logsource:
     product: windows
     category: ps_classic_start
@@ -25,5 +29,5 @@ detection:
             - '.DownloadString('
     condition: all of selection_*
 falsepositives:
-    - PowerShell scripts that download content from the Internet
-level: medium
+    - This activity may be used by legitimate software, such as patch management tools or software updaters. Investigate any such activity and apply the necessary filter.
+level: low