Detectionhightest
Suspicious Invoke-WebRequest Execution
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 02Updated Fri Jul 185e3cc4d8-3e68-43db-8656-eaaeefdec9ccwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_commands:
CommandLine|contains:
# These are all aliases of Invoke-WebRequest
- 'curl '
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
selection_flags:
CommandLine|contains:
- ' -ur'
- ' -o'
selection_susp_locations:
CommandLine|contains:
- '\AppData\'
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- ':\Windows\'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
Status
test
Level
high
Type
Detection
Created
Tue Aug 02
Modified
Fri Jul 18
Path
rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml
Raw Tags
attack.command-and-controlattack.t1105