Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

PowerShell Script With File Upload Capabilities

Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jan 07Updated Fri Jul 18d2e3f2f6-7e09-4bf2-bc5d-90186809e7fbwindows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

bade5735-5ab0-4aa7-a642-a11be0e40872

Detection Logic
Detection Logic2 selectors
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
    selection_flag:
        ScriptBlockText|contains:
            - '-Method "POST"'
            - '-Method "PUT"'
            - '-Method POST'
            - '-Method PUT'
            - "-Method 'POST'"
            - "-Method 'PUT'"
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
w3.org
3
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
Status
test
Level
low
Type
Detection
Created
Fri Jan 07
Modified
Fri Jul 18
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml
Raw Tags
attack.exfiltrationattack.t1020
View on GitHub