Detectionhightest
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Mon Feb 28Updated Tue Mar 01e6c54d94-498c-4562-a37c-b469d8e9a275windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
CommandLine|contains: # make sure that your backend applies the strings case-insensitive
- 'IEX ((New-Object Net.WebClient).DownloadString'
- 'IEX (New-Object Net.WebClient).DownloadString'
- 'IEX((New-Object Net.WebClient).DownloadString'
- 'IEX(New-Object Net.WebClient).DownloadString'
- ' -command (New-Object System.Net.WebClient).DownloadFile('
- ' -c (New-Object System.Net.WebClient).DownloadFile('
condition: selectionFalse Positives
Software installers that pull packages from remote systems and execute them
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
e6c54d94-498c-4562-a37c-b469d8e9a275
Status
test
Level
high
Type
Detection
Created
Mon Feb 28
Modified
Tue Mar 01
Path
rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml
Raw Tags
attack.executionattack.t1059.001