security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aaafef29b4aa53e8ebb5cd488dbf873865402dcc
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_upload.yml
T
phantinuss 043747822f fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00

32 lines
1.0 KiB
YAML
Raw Blame History

title: Windows PowerShell Upload Web Request
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: experimental
description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md
- https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
author: frack113
date: 2022/01/07
logsource:
product: windows
category: ps_script
definition: 'Script block logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'Invoke-WebRequest'
- 'iwr '
selection_method:
ScriptBlockText|contains: '-Method '
selection_verb:
- ' Put '
- ' Post '
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium
tags:
- attack.exfiltration
- attack.t1020
Reference in New Issue View Git Blame Copy Permalink