Curl Web Request With Potential Custom User-Agent
Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
Sigma rule (View on GitHub)
1title: Curl Web Request With Potential Custom User-Agent
2id: 85de1f22-d189-44e4-8239-dc276b45379b
3status: test
4description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
5references:
6 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
7 - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-07-27
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith: '\curl.exe'
18 - OriginalFileName: 'curl.exe'
19 selection_header:
20 CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
21 CommandLine|contains: 'User-Agent:'
22 condition: all of selection_*
23falsepositives:
24 - Unknown
25level: medium
References
-
WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.
Read More -
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change