detection.wiki

Detection rules › Sigma

Usage Of Web Request Commands And Cmdlets

Severity
medium
Author
James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
Source
upstream

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: ' irm '
CommandLine|contains: Invoke-RestMethod
CommandLine|contains: Invoke-WebRequest
CommandLine|contains: Resume-BitsTransfer
CommandLine|contains: Start-BitsTransfer
CommandLine|contains: WinHttp.WinHttpRequest
CommandLine|contains: '[System.Net.WebRequest]::create'
CommandLine|contains: 'curl '
CommandLine|contains: 'iwr '
CommandLine|contains: 'wget '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • irm corpus 2 (sigma 2)
  • Invoke-RestMethod corpus 4 (sigma 4)
  • Invoke-WebRequest corpus 6 (sigma 6)
  • Resume-BitsTransfer
  • Start-BitsTransfer corpus 2 (sigma 2)
  • WinHttp.WinHttpRequest
  • [System.Net.WebRequest]::create
  • curl corpus 8 (sigma 8)
  • iwr corpus 8 (sigma 8)
  • wget corpus 7 (sigma 7)