Query Details

Rule : Suspicious PowerShell Web Requests

Power Shell Possible C2connection

Query

DeviceEvents
| where ActionType contains "PowerShellCommand"
| extend parsed = parse_json(AdditionalFields)
| where parsed.Command matches regex @"\b(Invoke-WebRequest|iwr|wget|curl|Net\.WebClient|Start-BitsTransfer)\b"

About this query

Explanation

This query is designed to detect suspicious PowerShell commands that are often used by attackers to download or transfer data from a system. It focuses on identifying commands like Invoke-WebRequest, iwr, wget, curl, Net.WebClient, and Start-BitsTransfer, which can be used for malicious purposes such as data exfiltration or unauthorized file transfers.

Here's a simplified breakdown of what the query does:

  1. Filter Events: It looks at DeviceEvents where the ActionType indicates a PowerShell command was executed.
  2. Parse Commands: It extracts and analyzes the PowerShell command from the AdditionalFields.
  3. Match Suspicious Commands: It checks if the command matches any of the known suspicious web request utilities.

By identifying these commands, the query helps flag potential malicious activities that could compromise system security.

Key Points:

  • Purpose: Detect potential data exfiltration or malicious downloads via PowerShell.
  • Focus: Specific web request commands used in PowerShell.
  • Tags: PowerShell, Data Exfiltration, Malicious Downloads, Suspicious Command Execution.

Search Query:

DeviceEvents
| where ActionType contains "PowerShellCommand"
| extend parsed = parse_json(AdditionalFields)
| where parsed.Command matches regex @"\b(Invoke-WebRequest|iwr|wget|curl|Net\.WebClient|Start-BitsTransfer)\b"

This query helps in identifying and mitigating potential security threats by monitoring for suspicious PowerShell activity.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 25, 2024

Tables

DeviceEvents

Keywords

DeviceEventsPowerShellDataExfiltrationMaliciousDownloadsSuspiciousCommandExecution

Operators

containsextendparse_jsonmatches regex

Actions

GitHub