Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Usage Of Web Request Commands And Cmdlets

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
James Pemberton, Endgame, JHasenbusch, oscd.community, Austin SongerCreated Thu Oct 24Updated Mon Oct 209fc51a3c-81b3-4fa7-b35f-7c02cf10fd2dwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        CommandLine|contains:
            - '[System.Net.WebRequest]::create'
            - 'curl '
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
            - 'iwr '
            # - 'Net.WebClient' # There are various other rules that cover this, so it is commented out
            - 'Resume-BitsTransfer'
            - 'Start-BitsTransfer'
            - 'wget '
            - 'WinHttp.WinHttpRequest'
    condition: selection
False Positives

Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.

References
1
Resolving title…
4sysops.com
2
Resolving title…
blog.jourdant.me
3
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Usage Of Web Request Commands And Cmdlets - ScriptBlock

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Detects similar activity. Both rules may fire on overlapping events.

Similar

f67dbfce-93bc-440d-86ad-a95ae8858c90

Rule not found
Similar

cd5c8085-4070-4e22-908d-a5b3342deb74

Rule not found
Similar

6e897651-f157-4d8f-aaeb-df8151488385

Rule not found
Rule Metadata
Rule ID
9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
Status
test
Level
medium
Type
Detection
Created
Thu Oct 24
Modified
Mon Oct 20
Author
James Pemberton, Endgame, JHasenbusch, oscd.community, Austin Songer
Path
rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub