title: Suspicious PowerShell Download
status: experimental
description: Detects suspicious PowerShell download command
author: Florian Roth
logsource:
    platform: windows
    product: powershell
detection:
    keywords:
        - 'System.Net.WebClient).DownloadString('
        - 'system.net.webclient).downloadfile('
    condition: keywords
falsepositives:
    - PowerShell scripts that download content from the Internet
level: medium