title: Windows PowerShell Upload Web Request
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: experimental
description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
author: frack113
date: 2022/01/07
logsource:
    product: windows
    category: ps_script
    definition: 'Script block logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-WebRequest'
            - 'iwr '
    selection_method:
        ScriptBlockText|contains: '-Method '
    selection_verb:
            - ' Put '
            - ' Post '
    condition: all of selection_*
falsepositives:
    - Legitimate script
level: medium
tags:
    - attack.exfiltration
    - attack.t1020