[metadata]
creation_date = "2023/11/15"

[rule]
author = ["Terguttac"]
description = "Sysmon log indicates powershell's Invoke-WebRequest to download and execute .bat file."
from = "now-6m" # This is the default value. Change as needed.
name = "Powershell Invoke-WebReqeuest Downloading .BAT file"
risk_score = 50
severity = "medium"
rule_id = "00000000-0000-0000-000000000001"
type = "query"

query = '''

event.dataset: "windows.sysmon_operational" and process.parent.name: powershell.exe and process.parent.command_line : *Invoke-WebRequest* and process.command_line: *bat*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

# Optional Fields
# throttle: 7d
# version: 1
# interval: 5m