Potential Cookies Session Hijacking
Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
Sigma rule (View on GitHub)
1title: Potential Cookies Session Hijacking
2id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
3status: test
4description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
5references:
6 - https://curl.se/docs/manpage.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-07-27
9tags:
10 - attack.execution
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection_img:
16 - Image|endswith: '\curl.exe'
17 - OriginalFileName: 'curl.exe'
18 selection_cli:
19 - CommandLine|re: '\s-c\s'
20 - CommandLine|contains: '--cookie-jar'
21 condition: all of selection_*
22falsepositives:
23 - Unknown
24level: medium
References
-
Options Keep Expanded Bottom right handle resizes. --abstract-unix-socket --alt-svc --anyauth -a, --append --aws-sigv4 --basic --ca-native --cacert --capath -E, --cert --cert-status --cert-type --c...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change