LoFP LoFP / use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.

Techniques

Sample rules

Usage Of Web Request Commands And Cmdlets

Description

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - '[System.Net.WebRequest]::create'
  - 'curl '
  - Invoke-RestMethod
  - Invoke-WebRequest
  - 'iwr '
  - Net.WebClient
  - Resume-BitsTransfer
  - Start-BitsTransfer
  - 'wget '
  - WinHttp.WinHttpRequest

Usage Of Web Request Commands And Cmdlets - ScriptBlock

Description

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Detection logic

condition: selection and not filter
filter:
  Path|startswith: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
selection:
  ScriptBlockText|contains:
  - '[System.Net.WebRequest]::create'
  - 'curl '
  - Invoke-RestMethod
  - Invoke-WebRequest
  - 'iwr '
  - Net.WebClient
  - Resume-BitsTransfer
  - Start-BitsTransfer
  - 'wget '
  - WinHttp.WinHttpRequest