Detects the use of various CLI utilities exfiltrating data via web requests
title: Potential Data Exfiltration Activity Via CommandLine Tools
id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
status: test
description: Detects the use of various CLI utilities exfiltrating data via web requests
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-10-19
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_iwr:
Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
- 'wget '
CommandLine|contains|all:
- ' -ur' # Shortest possible version of the -uri flag
- ' -me' # Shortest possible version of the -method flag
- ' -b'
- ' POST '
selection_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
selection_curl_data:
CommandLine|contains:
- ' -d ' # Shortest possible version of the --data flag
- ' --data '
selection_wget:
Image|endswith: '\wget.exe'
CommandLine|contains:
- '--post-data'
- '--post-file'
payloads:
- CommandLine|re:
- 'net\s+view'
- 'sc\s+query'
- CommandLine|contains:
- 'Get-Content'
- 'GetBytes'
- 'hostname'
- 'ifconfig'
- 'ipconfig'
- 'netstat'
- 'nltest'
- 'qprocess'
- 'systeminfo'
- 'tasklist'
- 'ToBase64String'
- 'whoami'
- CommandLine|contains|all:
- 'type '
- ' > '
- ' C:\'
condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (((TargetProcessName endswith "\\powershell_ise.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\cmd.exe") and (TargetProcessCommandLine contains "curl " or TargetProcessCommandLine contains "Invoke-RestMethod" or TargetProcessCommandLine contains "Invoke-WebRequest" or TargetProcessCommandLine contains "irm " or TargetProcessCommandLine contains "iwr " or TargetProcessCommandLine contains "wget ") and (TargetProcessCommandLine contains " -ur" and TargetProcessCommandLine contains " -me" and TargetProcessCommandLine contains " -b" and TargetProcessCommandLine contains " POST ")) or ((TargetProcessName endswith "\\curl.exe" and TargetProcessCommandLine contains "--ur") and (TargetProcessCommandLine contains " -d " or TargetProcessCommandLine contains " --data ")) or (TargetProcessName endswith "\\wget.exe" and (TargetProcessCommandLine contains "--post-data" or TargetProcessCommandLine contains "--post-file"))) and ((TargetProcessCommandLine matches regex "net\\s+view" or TargetProcessCommandLine matches regex "sc\\s+query") or (TargetProcessCommandLine contains "Get-Content" or TargetProcessCommandLine contains "GetBytes" or TargetProcessCommandLine contains "hostname" or TargetProcessCommandLine contains "ifconfig" or TargetProcessCommandLine contains "ipconfig" or TargetProcessCommandLine contains "netstat" or TargetProcessCommandLine contains "nltest" or TargetProcessCommandLine contains "qprocess" or TargetProcessCommandLine contains "systeminfo" or TargetProcessCommandLine contains "tasklist" or TargetProcessCommandLine contains "ToBase64String" or TargetProcessCommandLine contains "whoami") or (TargetProcessCommandLine contains "type " and TargetProcessCommandLine contains " > " and TargetProcessCommandLine contains " C:\\"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |