Suspicious Curl File Upload - Linux

 1title: Suspicious Curl File Upload - Linux
 2id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
 3related:
 4    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
 5      type: derived
 6status: test
 7description: Detects a suspicious curl process start the adds a file to a web request
 8references:
 9    - https://twitter.com/d1r4c/status/1279042657508081664
10    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
12    - https://curl.se/docs/manpage.html
13    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
14author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
15date: 2022/09/15
16modified: 2023/05/02
17tags:
18    - attack.exfiltration
19    - attack.t1567
20    - attack.t1105
21logsource:
22    category: process_creation
23    product: linux
24detection:
25    selection_img:
26        Image|endswith: '/curl'
27    selection_cli:
28        - CommandLine|contains:
29              - ' --form' # Also covers the "--form-string"
30              - ' --upload-file '
31              - ' --data '
32              - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
33        - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
34    filter_optional_localhost:
35        CommandLine|contains:
36            - '://localhost'
37            - '://127.0.0.1'
38    condition: all of selection_* and not 1 of filter_optional_*
39falsepositives:
40    - Scripts created by developers and admins
41level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Upload files with CURL

  CURL is a great tool for making requests to servers; especially, I feel it is great to use for testing APIs.

  
  Read More

• atomic-red-team/atomics/T1105/T1105.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• curl - How To Use

  Options Keep Expanded Bottom right handle resizes. --abstract-unix-socket --alt-svc --anyauth -a, --append --aws-sigv4 --basic --ca-native --cacert --capath -E, --cert --cert-status --cert-type --c...

  
  Read More

• How Malicious Actors Abuse Native Linux Tools in Their Attacks

  

  Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact.

  
  Read More

Related rules

• Communication To Ngrok Tunneling Service Initiated
• Communication To Ngrok Tunneling Service - Linux
• LOLBAS Data Exfiltration by DataSvcUtil.exe
• Cisco Stage Data
• PowerShell Script With File Hostname Resolving Capabilities