Command Line Execution with Suspicious URL and AppData Strings (1ac8666b-046f-4201-8aba-1951aaec03a3)

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command Line Execution with Suspicious URL and AppData Strings (1ac8666b-046f-4201-8aba-1951aaec03a3)	Sigma-Rules	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command Line Execution with Suspicious URL and AppData Strings (1ac8666b-046f-4201-8aba-1951aaec03a3)	Sigma-Rules	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Command Line Execution with Suspicious URL and AppData Strings (1ac8666b-046f-4201-8aba-1951aaec03a3)	Sigma-Rules	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2