Query Details
Power Shell Possible C2connection
Query
# Rule : Suspicious PowerShell Web Requests ## Description This detection rule is designed to identify PowerShell commands associated with downloading or transferring data from a system, often used by attackers during data exfiltration or for malicious downloads. Malicious actors use web request utilities such as `Invoke-WebRequest`, `iwr`, `wget`, `curl`, `Net.WebClient`, and `Start-BitsTransfer` within PowerShell to interact with remote resources, posing a significant threat to system security. Detecting these commands helps flag potential data exfiltration attempts or unauthorized file transfers that could indicate malicious activity or compromise. Sigma Rule: Suspicious Data Exfiltration via CLI https://github.com/SigmaHQ/sigma/blob/35a5eb9a4cb6f9c7a25277617806471d9999b255/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml ## Detection Logic - Filters `DeviceEvents` where the `ActionType` contains `"PowerShellCommand"`. - Parses the `AdditionalFields` to analyze the PowerShell command executed. - Matches the PowerShell command against suspicious web request utilities such as: - `Invoke-WebRequest` (iwr) - `wget` - `curl` - `Net.WebClient` - `Start-BitsTransfer` These commands are often used to download or upload files, and their presence in command-line executions is suspicious in many scenarios, especially outside of standard administrative use. ## Tags - PowerShell - Data Exfiltration - Malicious Downloads - Suspicious Command Execution ## Search Query ```kql DeviceEvents | where ActionType contains "PowerShellCommand" | extend parsed = parse_json(AdditionalFields) | where parsed.Command matches regex @"\b(Invoke-WebRequest|iwr|wget|curl|Net\.WebClient|Start-BitsTransfer)\b"
Explanation
This query is designed to detect suspicious PowerShell commands that are often used by attackers to download or transfer data from a system. It focuses on identifying commands like Invoke-WebRequest, iwr, wget, curl, Net.WebClient, and Start-BitsTransfer, which can be used for malicious purposes such as data exfiltration or unauthorized file transfers.
Here's a simplified breakdown of what the query does:
- Filter Events: It looks at
DeviceEventswhere theActionTypeindicates a PowerShell command was executed. - Parse Commands: It extracts and analyzes the PowerShell command from the
AdditionalFields. - Match Suspicious Commands: It checks if the command matches any of the known suspicious web request utilities.
By identifying these commands, the query helps flag potential malicious activities that could compromise system security.
Key Points:
- Purpose: Detect potential data exfiltration or malicious downloads via PowerShell.
- Focus: Specific web request commands used in PowerShell.
- Tags: PowerShell, Data Exfiltration, Malicious Downloads, Suspicious Command Execution.
Search Query:
DeviceEvents
| where ActionType contains "PowerShellCommand"
| extend parsed = parse_json(AdditionalFields)
| where parsed.Command matches regex @"\b(Invoke-WebRequest|iwr|wget|curl|Net\.WebClient|Start-BitsTransfer)\b"
This query helps in identifying and mitigating potential security threats by monitoring for suspicious PowerShell activity.
Details
Ali Hussein
Released: September 25, 2024
Tables
DeviceEvents
Keywords
DeviceEventsPowerShellDataExfiltrationMaliciousDownloadsSuspiciousCommandExecution
Operators
containsextendparse_jsonmatches regex