title: Suspicious PowerShell Download
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
    SELECTION_1:
        ScriptBlockText: '*System.Net.WebClient*'
    SELECTION_2:
        ScriptBlockText: '*.DownloadFile(*'
    SELECTION_3:
        ScriptBlockText: '*.DownloadString(*'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- PowerShell scripts that download content from the Internet
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
level: medium
logsource:
    category: ps_script
    product: windows
modified: 2021/10/18
related:
-   id: 65531a81-a694-4e31-ae04-f8ba5bc33759
    type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_suspicious_download_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script