title: Windows Suspicious Use Of Web Request in CommandLine
author: James Pemberton / @4A616D6573
date: 2019/10/24
description: Detects the use of various web request with commandline tools or Windows
    PowerShell command,methods (including aliases)
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        CommandLine: '*Invoke-WebRequest*'
    SELECTION_3:
        CommandLine: '*iwr *'
    SELECTION_4:
        CommandLine: '*wget *'
    SELECTION_5:
        CommandLine: '*curl *'
    SELECTION_6:
        CommandLine: '*Net.WebClient*'
    SELECTION_7:
        CommandLine: '*Start-BitsTransfer*'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7))
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
level: medium
logsource:
    category: process_creation
    product: windows
modified: 2021/09/21
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: process_creation_susp_web_request_cmd.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation