DetectionHunter
back to roadmap
Phase 1·T1059.001·Easy

Detecting DownloadString / Invoke-WebRequest Staging

Surface PowerShell pulling remote payloads via WebClient or IWR.

#Windows#PowerShell#Sysmon

Detection Objective

Detect PowerShell-based remote payload retrieval.

Real-World Attack Scenario

An adversary uses (New-Object Net.WebClient).DownloadString('http://...') as the canonical stager.

Why This Detection Matters

Almost every commodity loader still uses this primitive. Cheap to detect; high signal when combined with execution.

ATT&CK Mapping

T1059.001 · PowerShell
Tactic: Execution

Required Telemetry

  • PowerShell4104 script block
  • SysmonEID 1 + EID 3 (network connection)
Windows Event IDs
4688
Sysmon Event IDs
1, 3
Wazuh Log Source
PowerShell/Operational, Sysmon/Operational

Setup Steps

  1. Enable 4104 logging.
  2. Enable Sysmon network logging for powershell.exe.

Safe Validation Command

Safe local-only fetch.
powershell.exe -c "(New-Object Net.WebClient).DownloadString('http://127.0.0.1/healthz')"
⚠ lab use only · this project does not execute real malware

Expected Log Output

EventID 4104
ScriptBlockText: (New-Object Net.WebClient).DownloadString('http://127.0.0.1/healthz')

Detection Logic (Wazuh rule concept)

ScriptBlockText matches /(?i)(DownloadString|Invoke-WebRequest|IWR|DownloadFile|WebClient)/ AND process Image matches powershell|pwsh

False Positives

  • Internal automation pulling from artifact servers

Tuning Recommendations

  • Allowlist internal package hosts.

Analyst Triage Notes

  • Resolve the destination, check reputation.

Detection Improvement Ideas

  • Join with proxy logs for HTTP status / response size.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence
rule 100719
Detecting DownloadString / Invoke-WebRequest Staging
PowerShell/Operational, Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -c "(New-Object Net.WebClient).DownloadString('http://127.0.0.1/healthz')"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Resolve the destination, check reputation.

Parent → Child Analysis

explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

  • DownloadString / IWR
    Pulls a remote payload into memory for execution.

Parsed Fields the Analyst Reads

  • ImageProcess binary that executed — confirms PowerShell.
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • ParentImageWho launched it — context for legitimacy.
    C:\Windows\explorer.exe
  • CommandLineArguments — where attacker intent shows up.
    powershell.exe -c "(New-Object Net.WebClient).DownloadString('http://127.0.0.1/healthz')"
  • UserAccount context — service vs interactive vs SYSTEM.
    CORP\j.doe
  • EventIDTelemetry channel and event type.
    Sysmon EID 1
  • Wazuh Rule IDRule that matched and produced this alert.
    100719
  • AgentEndpoint that produced the telemetry.
    WIN10-LAB-01
  • TimestampWhen it happened — anchor for correlation.
    2026-05-26T14:32:11Z

Malicious Pattern

pattern
DownloadString / Invoke-WebRequest Staging
description
An adversary uses (New-Object Net.WebClient).DownloadString('http://...') as the canonical stager.
analyst takeaway
Almost every commodity loader still uses this primitive. Cheap to detect; high signal when combined with execution. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command
powershell.exe -c "(New-Object Net.WebClient).DownloadString('http://127.0.0.1/healthz')"
expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100719 — "Detecting DownloadString / Invoke-WebRequest Staging" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.