← Back to Explore
sigmamediumHunting
Suspicious Invoke-WebRequest Execution With DirectIP
Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
Detection Query
selection_img:
- Image|endswith:
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- powershell_ise.EXE
- PowerShell.EXE
- pwsh.dll
selection_commands:
CommandLine|contains:
- "curl "
- Invoke-RestMethod
- Invoke-WebRequest
- " irm "
- "iwr "
- "wget "
selection_ip:
CommandLine|contains:
- ://1
- ://2
- ://3
- ://4
- ://5
- ://6
- ://7
- ://8
- ://9
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-04-21
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Suspicious Invoke-WebRequest Execution With DirectIP
id: 1edff897-9146-48d2-9066-52e8d8f80a2f
status: test
description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
references:
- https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-21
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_commands:
CommandLine|contains:
# These are all aliases of Invoke-WebRequest
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
- 'wget '
selection_ip:
# In case of FP with local IPs add additional filters
CommandLine|contains:
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
condition: all of selection_*
falsepositives:
- Unknown
level: medium