Power Shell Invoke Webrequest
Query
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let AllowedDomains = dynamic(['google.com']);
let Servers = DeviceInfo
| where Timestamp > ago(30d)
| summarize arg_max(Timestamp, *) by DeviceId
| where DeviceType == "Server"
| distinct DeviceId;
DeviceNetworkEvents
| where InitiatingProcessCommandLine has "Invoke-Webrequest"
| extend CommandLineIpv4 = extract(IPRegex, 0, InitiatingProcessCommandLine)
// If you only want to filter on Invoke-Webrequest that retrieve information direct from IPv4 addresses
//| where isnotempty(CommandLineIpv4)
| where not(RemoteUrl in (AllowedDomains))
| where ActionType == "ConnectionSuccess"
// Filter line below if you also want to return private requests
| where RemoteIPType == "Public"
// If you only want to include servers in this detection use line below
//| where DeviceId in (Servers)
| project-reorder Timestamp, InitiatingProcessCommandLine, RemoteUrl, ActionType, CommandLineIpv4About this query
Explanation
This query is designed to detect potentially malicious use of the PowerShell command "Invoke-Webrequest" on servers. Here's a simple breakdown of what it does:
-
Purpose: The query aims to identify instances where the "Invoke-Webrequest" command is used to download scripts from the internet, which could be a sign of malicious activity.
-
Focus on Servers: The query specifically targets server devices by filtering out other device types. This is because servers are more likely to be targeted for such activities.
-
IP Address Extraction: It extracts IPv4 addresses from the command line to identify direct downloads from IP addresses, which can be suspicious.
-
Domain Filtering: The query excludes downloads from known safe domains (like "google.com") to reduce false positives.
-
Public IPs Only: It focuses on connections to public IP addresses, ignoring private network traffic, which is less likely to be malicious.
-
Successful Connections: Only successful connection attempts are considered, as these indicate that the download was likely completed.
-
Customization Options: The query includes commented-out lines that allow further customization, such as filtering only for direct IPv4 downloads or including only server devices in the detection.
Overall, this query helps security teams monitor and detect potentially harmful script downloads on servers, aiding in the prevention of cyber threats.
