Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
Sigma rule (View on GitHub)
1title: Suspicious Curl Change User Agents - Linux
2id: b86d356d-6093-443d-971c-9b07db583c68
3related:
4 - id: 3286d37a-00fd-41c2-a624-a672dcd34e60
5 type: derived
6status: test
7description: Detects a suspicious curl process start on linux with set useragent options
8references:
9 - https://curl.se/docs/manpage.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-15
12tags:
13 - attack.command-and-control
14 - attack.t1071.001
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: '/curl'
21 CommandLine|contains:
22 - ' -A '
23 - ' --user-agent '
24 condition: selection
25falsepositives:
26 - Scripts created by developers and admins
27 - Administrative activity
28level: medium
References
-
Options Keep Expanded Bottom right handle resizes. --abstract-unix-socket --alt-svc --anyauth -a, --append --aws-sigv4 --basic --ca-native --cacert --capath -E, --cert --cert-status --cert-type --c...
Read More
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern