Detectionlowtest
PowerShell Download Via Net.WebClient - PowerShell Classic
Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class. This technique is often abused by attackers to download additional payloads.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sun Mar 05Updated Tue Apr 283236fcd0-b7e3-4433-b4f8-86ad61a9af2dwindows
Log Source
WindowsPowerShell Classic
ProductWindows← raw: windows
CategoryPowerShell Classic← raw: ps_classic_start
Detection Logic
Detection Logic2 selectors
detection:
selection_webclient:
Data|contains: 'Net.WebClient'
selection_download:
Data|contains:
- '.DownloadFile('
- '.DownloadString('
condition: all of selection_*False Positives
This activity may be used by legitimate software, such as patch management tools or software updaters. Investigate any such activity and apply the necessary filter.
References
MITRE ATT&CK
Techniques
Sub-techniques
Related Rules
Derived
Rule not found65531a81-a694-4e31-ae04-f8ba5bc33759
Rule Metadata
Rule ID
3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
Status
test
Level
low
Type
Detection
Created
Sun Mar 05
Modified
Tue Apr 28
Path
rules/windows/powershell/powershell_classic/posh_pc_download_via_webclient.yml
Raw Tags
attack.executionattack.command-and-controlattack.t1059.001attack.t1105