Detectionmediumtest

Suspicious PowerShell Download

Detects suspicious PowerShell download command

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Mar 05Updated Fri Oct 273236fcd0-b7e3-4433-b4f8-86ad61a9af2dwindows

Log Source

WindowsPowerShell Classic

ProductWindows← raw: windows

CategoryPowerShell Classic← raw: ps_classic_start

Detection Logic

detection:
    selection_webclient:
        Data|contains: 'Net.WebClient'
    selection_download:
        Data|contains:
            - '.DownloadFile('
            - '.DownloadString('
    condition: all of selection_*

False Positives

PowerShell scripts that download content from the Internet

References

Resolving title…

trendmicro.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Related Rules

Derived

65531a81-a694-4e31-ae04-f8ba5bc33759

Rule not found

Rule Metadata

Rule ID

3236fcd0-b7e3-4433-b4f8-86ad61a9af2d

Status

test

Level

medium

Type

Detection

Created

Sun Mar 05

Modified

Fri Oct 27

Author

Florian Roth (Nextron Systems)

Path

rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml

Raw Tags

attack.executionattack.t1059.001

View on GitHub