Detectionmediumtest

Suspicious PowerShell Download - PoshModule

Detects suspicious PowerShell download command

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Mar 05Updated Fri Jan 20de41232e-12e8-49fa-86bc-c05c7e722df9windows

Log Source

WindowsPowerShell Module

ProductWindows← raw: windows

CategoryPowerShell Module← raw: ps_module

Definition

0ad03ef1-f21b-4a79-8ce8-e6900c54b65b

Detection Logic

detection:
    selection_webclient_:
        ContextInfo|contains: 'System.Net.WebClient'
    selection_function:
        ContextInfo|contains:
            - '.DownloadFile('
            - '.DownloadString('
    condition: all of selection_*

False Positives

PowerShell scripts that download content from the Internet

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Related Rules

Derived

65531a81-a694-4e31-ae04-f8ba5bc33759

Rule not found

Rule Metadata

Rule ID

de41232e-12e8-49fa-86bc-c05c7e722df9

Status

test

Level

medium

Type

Detection

Created

Sun Mar 05

Modified

Fri Jan 20

Author

Florian Roth (Nextron Systems)

Path

rules/windows/powershell/powershell_module/posh_pm_susp_download.yml

Raw Tags

attack.executionattack.t1059.001

View on GitHub