-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Expand file tree
/
Copy pathproc_creation_win_powershell_invoke_webrequest_download.yml
More file actions
54 lines (54 loc) · 1.57 KB
/
proc_creation_win_powershell_invoke_webrequest_download.yml
File metadata and controls
54 lines (54 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
title: Suspicious Invoke-WebRequest Execution
id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
related:
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
type: derived
status: test
description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-07-18
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_commands:
CommandLine|contains:
# These are all aliases of Invoke-WebRequest
- 'curl '
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
selection_flags:
CommandLine|contains:
- ' -ur'
- ' -o'
selection_susp_locations:
CommandLine|contains:
- '\AppData\'
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- ':\Windows\'
condition: all of selection_*
falsepositives:
- Unknown
level: high