Suspicious Invoke-WebRequest Execution

    Friday, January 17, 2025 In: Threat Research Print

    Date: 01/17/2025

    Severity: Medium

    Summary

    "Suspicious Invoke-WebRequest Execution" refers to the detection of an unusual use of the Invoke-WebRequest cmdlet, a PowerShell command typically used to send HTTP requests. The suspicion arises when the output of the command is directed to a suspicious location, which may indicate malicious intent, such as downloading or exfiltrating data to an unauthorized location. This behavior could be a sign of a cyberattack or unauthorized activity.

    Indicators of Compromise (IOC) List

    Image

    \powershell.exe
    \pwsh.exe

    OriginalFileName

    PowerShell.EXE
    pwsh.dll

    CommandLine

    'curl '

    'Invoke-WebRequest'

     'iwr '

    'wget '

     ' -ur'

     ' -o'

    '\AppData\'

    '\Desktop\'

    '\Temp\'

    '\Users\Public\'

     '%AppData%'

     '%Public%'

    '%Temp%'

     '%tmp%'

     ':\Windows\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Windows Security") AND eventtype = "4688" AND newprocessname IN ("\powershell.exe","\pwsh.exe") AND processname IN ("PowerShell.EXE","pwsh.dll") AND ((commandline like "curl" or commandline like "Invoke-WebRequest" or commandline like "iwr" or commandline like "wget") AND (commandline like "-ur" or commandline like "-o")) AND (commandline like "\AppData" or commandline like "\Desktop" or commandline like "\Temp" or commandline like "\Users\Public" or commandline like "%AppData%" or commandline like "%Public%" or commandline like "%Temp%" or commandline like "%tmp%" or commandline like ":\Windows"))

    Detection Query 2

    (technologygroup = "EDR" AND newprocessname IN ("\powershell.exe","\pwsh.exe") AND processname IN ("PowerShell.EXE","pwsh.dll") AND ((commandline like "curl" or commandline like "Invoke-WebRequest" or commandline like "iwr" or commandline like "wget") AND (commandline like "-ur" or commandline like "-o")) AND (commandline like "\AppData" or commandline like "\Desktop" or commandline like "\Temp" or commandline like "\Users\Public" or commandline like "%AppData%" or commandline like "%Public%" or commandline like "%Temp%" or commandline like "%tmp%" or commandline like ":\Windows"))

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml            


    Tags

    SigmaMalwareInvoke-WebRequest

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.