sigmahighHunting

Suspicious Invoke-WebRequest Execution

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

MITRE ATT&CK

command-and-control

Detection Query

selection_img:
  - Image|endswith:
      - \powershell_ise.exe
      - \powershell.exe
      - \pwsh.exe
  - OriginalFileName:
      - powershell_ise.EXE
      - PowerShell.EXE
      - pwsh.dll
selection_commands:
  CommandLine|contains:
    - "curl "
    - Invoke-WebRequest
    - "iwr "
    - "wget "
selection_flags:
  CommandLine|contains:
    - " -ur"
    - " -o"
selection_susp_locations:
  CommandLine|contains:
    - \AppData\
    - \Desktop\
    - \Temp\
    - \Users\Public\
    - "%AppData%"
    - "%Public%"
    - "%Temp%"
    - "%tmp%"
    - :\Windows\
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

Tags

attack.command-and-controlattack.t1105

Raw Content

title: Suspicious Invoke-WebRequest Execution
id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
related:
    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
      type: derived
status: test
description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-07-18
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell_ise.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_commands:
        CommandLine|contains:
            # These are all aliases of Invoke-WebRequest
            - 'curl '
            - 'Invoke-WebRequest'
            - 'iwr '
            - 'wget '
    selection_flags:
        CommandLine|contains:
            - ' -ur'
            - ' -o'
    selection_susp_locations:
        CommandLine|contains:
            - '\AppData\'
            - '\Desktop\'
            - '\Temp\'
            - '\Users\Public\'
            - '%AppData%'
            - '%Public%'
            - '%Temp%'
            - '%tmp%'
            - ':\Windows\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high