Rule : Suspicious PowerShell Web Requests
Power Shell Possible C2connection
Query
DeviceEvents
| where ActionType contains "PowerShellCommand"
| extend parsed = parse_json(AdditionalFields)
| where parsed.Command matches regex @"\b(Invoke-WebRequest|iwr|wget|curl|Net\.WebClient|Start-BitsTransfer)\b"About this query
Explanation
This query is designed to detect suspicious PowerShell commands that are often used by attackers to download or transfer data from a system. It focuses on identifying commands like Invoke-WebRequest, iwr, wget, curl, Net.WebClient, and Start-BitsTransfer, which can be used for malicious purposes such as data exfiltration or unauthorized file transfers.
Here's a simplified breakdown of what the query does:
- Filter Events: It looks at
DeviceEventswhere theActionTypeindicates a PowerShell command was executed. - Parse Commands: It extracts and analyzes the PowerShell command from the
AdditionalFields. - Match Suspicious Commands: It checks if the command matches any of the known suspicious web request utilities.
By identifying these commands, the query helps flag potential malicious activities that could compromise system security.
Key Points:
- Purpose: Detect potential data exfiltration or malicious downloads via PowerShell.
- Focus: Specific web request commands used in PowerShell.
- Tags: PowerShell, Data Exfiltration, Malicious Downloads, Suspicious Command Execution.
Search Query:
DeviceEvents
| where ActionType contains "PowerShellCommand"
| extend parsed = parse_json(AdditionalFields)
| where parsed.Command matches regex @"\b(Invoke-WebRequest|iwr|wget|curl|Net\.WebClient|Start-BitsTransfer)\b"
This query helps in identifying and mitigating potential security threats by monitoring for suspicious PowerShell activity.
Details

Ali Hussein
Released: September 25, 2024
Tables
Keywords
Operators