Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 02Updated Sun Oct 197d1aaf3d-4304-425c-b7c3-162055e0b3abwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic5 selectors
detection:
    selection_iwr:
        Image|endswith:
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'curl '
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
            - 'wget '
        CommandLine|contains|all:
            - ' -ur' # Shortest possible version of the -uri flag
            - ' -me' # Shortest possible version of the -method flag
            - ' -b'
            - ' POST '
    selection_curl:
        Image|endswith: '\curl.exe'
        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
    selection_curl_data:
        CommandLine|contains:
            - ' -d ' # Shortest possible version of the --data flag
            - ' --data '
    selection_wget:
        Image|endswith: '\wget.exe'
        CommandLine|contains:
            - '--post-data'
            - '--post-file'
    payloads:
        - CommandLine|re:
              - 'net\s+view'
              - 'sc\s+query'
        - CommandLine|contains:
              - 'Get-Content'
              - 'GetBytes'
              - 'hostname'
              - 'ifconfig'
              - 'ipconfig'
              - 'netstat'
              - 'nltest'
              - 'qprocess'
              - 'systeminfo'
              - 'tasklist'
              - 'ToBase64String'
              - 'whoami'
        - CommandLine|contains|all:
              - 'type '
              - ' > '
              - ' C:\'
    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
sentinelone.com
MITRE ATT&CK
Rule Metadata
Rule ID
7d1aaf3d-4304-425c-b7c3-162055e0b3ab
Status
test
Level
high
Type
Detection
Created
Tue Aug 02
Modified
Sun Oct 19
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub