Suspicious Curl File Upload - Linux

 1title: Suspicious Curl File Upload - Linux
 2id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
 3related:
 4    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
 5      type: derived
 6status: test
 7description: Detects a suspicious curl process start the adds a file to a web request
 8references:
 9    - https://twitter.com/d1r4c/status/1279042657508081664
10    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
12    - https://curl.se/docs/manpage.html
13    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
14author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
15date: 2022-09-15
16modified: 2023-05-02
17tags:
18    - attack.exfiltration
19    - attack.command-and-control
20    - attack.t1567
21    - attack.t1105
22logsource:
23    category: process_creation
24    product: linux
25detection:
26    selection_img:
27        Image|endswith: '/curl'
28    selection_cli:
29        - CommandLine|contains:
30              - ' --form' # Also covers the "--form-string"
31              - ' --upload-file '
32              - ' --data '
33              - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
34        - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
35    filter_optional_localhost:
36        CommandLine|contains:
37            - '://localhost'
38            - '://127.0.0.1'
39    condition: all of selection_* and not 1 of filter_optional_*
40falsepositives:
41    - Scripts created by developers and admins
42level: medium

References

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• Upload files with CURL

  CURL is a great tool for making requests to servers; especially, I feel it is great to use for testing APIs.

  
  Read More

• atomic-red-team/atomics/T1105/T1105.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• curl - How To Use

  Options Keep Expanded Bottom right handle resizes. --abstract-unix-socket --alt-svc --anyauth -a, --append --aws-sigv4 --basic --ca-native --cacert --capath --cert-status --cert-type -E, --cert --c...

  
  Read More

• How Malicious Actors Abuse Native Linux Tools in Their Attacks

  

  Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact.

  
  Read More

Related rules

• Cisco Stage Data
• Communication To Ngrok Tunneling Service - Linux
• Communication To Ngrok Tunneling Service Initiated
• Hidden Flag Set On File/Directory Via Chflags - MacOS
• Insensitive Subfolder Search Via Findstr.EXE