Suspicious URL Opening via PowerShell

Rule Info

Name
Suspicious URL Opening via PowerShell
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects usage of PowerShell to start a URL as a process, which opens a web browser and may trigger a file download if the content cannot be rendered. Threat Actors may use this PowerShell command to download second-stage payloads for execution.
Reference
Internal Research
Date
2025-06-25 00:00:00
Modified
None
Id
2f1c5b3b-f56d-4c6b-8cc1-1078919728ac
Tags
attack.execution attack.t1059.001 attack.command-and-control attack.t1105
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022