title: Windows PowerShell Web Request
author: James Pemberton / @4A616D6573
date: 2019/10/24
description: Detects the use of various web request methods (including aliases) via
    Windows PowerShell command
detection:
    SELECTION_1:
        ScriptBlockText: '*Invoke-WebRequest*'
    SELECTION_2:
        ScriptBlockText: '*iwr *'
    SELECTION_3:
        ScriptBlockText: '*wget *'
    SELECTION_4:
        ScriptBlockText: '*curl *'
    SELECTION_5:
        ScriptBlockText: '*Net.WebClient*'
    SELECTION_6:
        ScriptBlockText: '*Start-BitsTransfer*'
    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6)
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
id: 1139d2e2-84b1-4226-b445-354492eba8ba
level: medium
logsource:
    category: ps_script
    definition: Script block logging must be enabled
    product: windows
modified: 2021/10/16
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
related:
-   id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
    type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_web_request.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script