Windows Redcannary

rules/windows/powershell/powershell_script/powershell_ps_upload.yml

@@ -0,0 +1,31 @@
+title: Windows PowerShell Upload Web Request
+id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
+status: experimental
+description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md
+    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
+author: frack113
+date: 2022/01/07
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Script block logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains:
+            - 'Invoke-WebRequest'
+            - 'iwr '
+    selection_method:
+        ScriptBlockText|contains: '-Method '
+    selection_verb:
+            - ' Put ' 
+            - ' Post '
+    condition: all of selection_*
+falsepositives:
+    - legitim script
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1020