Suspicious Invoke-WebRequest Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (PROCESSNAME endswith "\powershell_ise.exe,\powershell.exe,\pwsh.exe" OR ORIGINALFILENAME = "powershell_ise.EXE,PowerShell.EXE,pwsh.dll") AND COMMANDLINE contains "curl ,Invoke-WebRequest,iwr ,wget " AND COMMANDLINE contains " -ur, -o" AND COMMANDLINE contains "\AppData\,\Desktop\,\Temp\,\Users\Public\,%AppData%,%Public%,%Temp%,%tmp%,:\Windows"
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Nasreddine Bencherchali (Nextron Systems)
