Detection rules › Splunk
PowerShell WebRequest Using Memory Stream
The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving system.net.webclient, system.net.webrequest, and IO.MemoryStream. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1027.011 Obfuscated Files or Information: Fileless Storage |
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: search
search EventCode=4104 ScriptBlockText="*IO.MemoryStream*" ScriptBlockText IN ("*system.net.webclient*", "*system.net.webrequest*")
Stage 2: fillnull
fillnull
Stage 3: stats
stats BY dest, signature, signature_id, user_id, vendor_product, EventID, Guid, Opcode, Name, Path, ProcessID, ScriptBlockId, ScriptBlockText
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ScriptBlockText | eq |
|
ScriptBlockText | in |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Potential PowerShell Obfuscation via Invalid Escape Sequences (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via Character Array Reconstruction (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via High Numeric Character Proportion (drops 3 filters this rule applies)
- Potential Dynamic IEX Reconstruction via Environment Variables (drops 3 filters this rule applies)
- Dynamic IEX Reconstruction via Method String Access (drops 3 filters this rule applies)
- PowerShell Obfuscation via Negative Index String Reversal (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via Reverse Keywords (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via String Concatenation (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via String Reordering (drops 3 filters this rule applies)
- Potential PowerShell Obfuscation via Special Character Overuse (drops 3 filters this rule applies)
- PowerShell 4104 Hunting (drops 2 filters this rule applies)