← Back to SOC feed Coverage →

Suspicious PowerShell curl flags

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
exploithuntingmicrosoftofficialpowershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-05T11:00:00Z · Confidence: medium

Hunt Hypothesis

Attackers may use non-standard PowerShell curl flags to exfiltrate data or execute malicious payloads covertly. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activity or data exfiltration attempts that evade traditional detection methods.

KQL Query

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_all("-met", "POST", "-Body")

Analytic Rule Definition

id: 9cde2f21-35c9-452b-b149-ebbed3d0c7ae
name: Suspicious PowerShell curl flags
description: |
  Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing uncommon PowerShell flags to communicate to command-and-control infrastructure.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
- Vulnerability
query: |
  DeviceProcessEvents
  | where FileName =~ "powershell.exe"
  | where ProcessCommandLine has_all("-met", "POST", "-Body")

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Suspicious PowerShell curl flags.yaml