Usage of Inverted HTTP Protocol Handler - PowerShell

Rule Info

Name
Usage of Inverted HTTP Protocol Handler - PowerShell
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of inverted HTTP protocol handler in PowerShell commands or scripts. Threat actors may use inverted protocol handlers in the malware loaders/dropper to obfuscate their command, while trying to download second stage payloads or other malicious content, trying to bypass security controls that look for specific patterns in command lines.
Reference
https://x.com/nextronresearch/status/1932481123881267411
Date
2025-06-11 00:00:00
Modified
None
Id
6e8c9fde-9c2f-45e6-a1d3-d89ffb9f4f38
Tags
attack.defense-evasion attack.t1027.010 attack.command-and-control attack.t1105
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022