security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2bfd4ea654d0cfe77d5c2ec4e7cb8692e3cd08bb
blue-team-tools/rules/windows/powershell/powershell_suspicious_download.yml
T
Karneades aafab2e936 fix: bound keywords to field in multiple PS rules 
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
2019-10-29 19:53:18 +01:00

20 lines
515 B
YAML
Raw Blame History

title: Suspicious PowerShell Download
status: experimental
description: Detects suspicious PowerShell download command
tags:
- attack.execution
- attack.t1086
author: Florian Roth
logsource:
product: windows
service: powershell
detection:
keywords:
Message:
- '*System.Net.WebClient).DownloadString(*'
- '*system.net.webclient).downloadfile(*'
condition: keywords
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
Reference in New Issue View Git Blame Copy Permalink