Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Sigma rule (View on GitHub)
1title: Curl Usage on Linux
2id: ea34fb97-e2c4-4afb-810f-785e4459b194
3status: test
4description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
5references:
6 - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-15
9tags:
10 - attack.command-and-control
11 - attack.t1105
12logsource:
13 category: process_creation
14 product: linux
15detection:
16 selection:
17 Image|endswith: '/curl'
18 condition: selection
19falsepositives:
20 - Scripts created by developers and admins
21 - Administrative activity
22level: low
References
-
Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact.
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings
- Download File To Potentially Suspicious Directory Via Wget