Potential Data Exfiltration Activity Via CommandLine Tools

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the use of various CLI utilities exfiltrating data via web requests

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection_iwr`

or:
CommandLine|contains: Invoke-RestMethod
CommandLine|contains: Invoke-WebRequest
CommandLine|contains: 'curl '
CommandLine|contains: 'irm '
CommandLine|contains: 'iwr '
CommandLine|contains: 'wget '
or:
Image|endswith: '\cmd.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
CommandLine|contains: ' -b'
CommandLine|contains: ' -me'
CommandLine|contains: ' -ur'
CommandLine|contains: ' POST '

Stage 2: `all of selection_curl`

CommandLine|contains: --ur
Image|endswith: '\curl.exe'

Stage 3: `all of selection_curl_data`

or:
CommandLine|contains: ' --data '
CommandLine|contains: ' -d '

Stage 4: `selection_wget`

or:
CommandLine|contains: --post-data
CommandLine|contains: --post-file
Image|endswith: '\wget.exe'

Stage 5: `payloads`

or:
CommandLine|contains: ' > '
CommandLine|contains: ' C:\'
CommandLine|contains: 'type '
CommandLine|contains: Get-Content
CommandLine|contains: GetBytes
CommandLine|contains: ToBase64String
CommandLine|contains: hostname
CommandLine|contains: ifconfig
CommandLine|contains: ipconfig
CommandLine|contains: netstat
CommandLine|contains: nltest
CommandLine|contains: qprocess
CommandLine|contains: systeminfo
CommandLine|contains: tasklist
CommandLine|contains: whoami
CommandLine|re: 'net\s+view'
CommandLine|re: 'sc\s+query'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`--data` `-b` `-d` corpus 6 (sigma 6) `-me` `-ur` corpus 2 (sigma 2) `>` corpus 5 (sigma 5) `C:\` corpus 2 (sigma 2) `POST` `--post-data` `--post-file` `--ur` `Get-Content` corpus 2 (sigma 2) `GetBytes` `Invoke-RestMethod` corpus 4 (sigma 4) `Invoke-WebRequest` corpus 6 (sigma 6) `ToBase64String` `curl` corpus 8 (sigma 8) `hostname` `ifconfig` `ipconfig` `irm` corpus 3 (sigma 3) `iwr` corpus 8 (sigma 8) `netstat` `nltest` `qprocess` `systeminfo` `tasklist` `type` corpus 6 (sigma 6) `wget` corpus 7 (sigma 7) `whoami`
`CommandLine`	regex_match	`net\s+view` `sc\s+query`
`Image`	ends_with	`\cmd.exe` corpus 92 (sigma 92) `\curl.exe` corpus 19 (sigma 19) `\powershell.exe` corpus 143 (sigma 143) `\powershell_ise.exe` corpus 27 (sigma 27) `\pwsh.exe` corpus 140 (sigma 140) `\wget.exe` corpus 6 (sigma 6)

Potential Data Exfiltration Activity Via CommandLine Tools

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection_iwr

Stage 2: all of selection_curl

Stage 3: all of selection_curl_data