LoFP / powershell scripts that download content from the internet

Techniques

Sample rules

Suspicious PowerShell Download - PoshModule

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects suspicious PowerShell download command

Detection logic

condition: all of selection_*
selection_function:
  ContextInfo|contains:
  - .DownloadFile(
  - .DownloadString(
selection_webclient_:
  ContextInfo|contains: System.Net.WebClient

Suspicious PowerShell Download

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects suspicious PowerShell download command

Detection logic

condition: all of selection_*
selection_download:
  Data|contains:
  - .DownloadFile(
  - .DownloadString(
selection_webclient:
  Data|contains: Net.WebClient

Suspicious PowerShell Download - Powershell Script

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects suspicious PowerShell download command

Detection logic

condition: webclient and download
download:
  ScriptBlockText|contains:
  - .DownloadFile(
  - .DownloadFileAsync(
  - .DownloadString(
  - .DownloadStringAsync(
webclient:
  ScriptBlockText|contains: System.Net.WebClient