Detectionmediumtest
Usage Of Web Request Commands And Cmdlets - ScriptBlock
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Requirements: Script Block Logging must be enabled
Detection Logic
Detection Logic2 selectors
detection:
selection:
ScriptBlockText|contains:
- '[System.Net.WebRequest]::create'
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
# - 'Net.WebClient' # There are various other rules that cover this, so it is commented out
- 'Resume-BitsTransfer'
- 'Start-BitsTransfer'
- 'wget '
- 'WinHttp.WinHttpRequest'
filter:
Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
condition: selection and not filterFalse Positives
Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
1139d2e2-84b1-4226-b445-354492eba8ba
Status
test
Level
medium
Type
Detection
Created
Thu Oct 24
Modified
Mon Oct 20
Author
Path
rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml
Raw Tags
attack.executionattack.t1059.001