scripts or tools that download files

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml>sigma
technicques: t1059 t1059.001 t1105

Techniques

Detects suspicious ways to download files or content using PowerShell

condition: selection
selection:
  CommandLine|contains:
  - .DownloadString(
  - .DownloadFile(
  - 'Invoke-WebRequest '
  - 'iwr '