Detection rules › Sigma
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection
or:
CommandLine|contains: ' -c (New-Object System.Net.WebClient).DownloadFile('
CommandLine|contains: ' -command (New-Object System.Net.WebClient).DownloadFile('
CommandLine|contains: 'IEX ((New-Object Net.WebClient).DownloadString'
CommandLine|contains: 'IEX (New-Object Net.WebClient).DownloadString'
CommandLine|contains: 'IEX((New-Object Net.WebClient).DownloadString'
CommandLine|contains: 'IEX(New-Object Net.WebClient).DownloadString'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|