Suspicious File Download From File Sharing Domain Via Curl.EXE

Detects potentially suspicious file download from file sharing domains using curl.exe

Sigma rule (View on GitHub)

 1title: Suspicious File Download From File Sharing Domain Via Curl.EXE
 2id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
 3status: experimental
 4description: Detects potentially suspicious file download from file sharing domains using curl.exe
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-05-05
10modified: 2024-08-22
11tags:
12    - attack.execution
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\curl.exe'
19        - OriginalFileName: 'curl.exe'
20    selection_websites:
21        CommandLine|contains:
22            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
23            - 'anonfiles.com'
24            - 'cdn.discordapp.com'
25            - 'ddns.net'
26            - 'dl.dropboxusercontent.com'
27            - 'ghostbin.co'
28            - 'glitch.me'
29            - 'gofile.io'
30            - 'hastebin.com'
31            - 'mediafire.com'
32            - 'mega.nz'
33            - 'onrender.com'
34            - 'pages.dev'
35            - 'paste.ee'
36            - 'pastebin.com'
37            - 'pastebin.pl'
38            - 'pastetext.net'
39            - 'privatlab.com'
40            - 'privatlab.net'
41            - 'send.exploit.in'
42            - 'sendspace.com'
43            - 'storage.googleapis.com'
44            - 'storjshare.io'
45            - 'supabase.co'
46            - 'temp.sh'
47            - 'transfer.sh'
48            - 'trycloudflare.com'
49            - 'ufile.io'
50            - 'w3spaces.com'
51            - 'workers.dev'
52    selection_http:
53        CommandLine|contains: 'http'
54    selection_flag:
55        CommandLine|contains:
56            - ' -O'  # covers the alias for --remote-name and --output
57            - '--remote-name'
58            - '--output'
59    selection_ext:
60        CommandLine|endswith:
61            - ".ps1"
62            - ".ps1'"
63            - '.ps1"'
64            - ".dat"
65            - ".dat'"
66            - '.dat"'
67            - ".msi"
68            - ".msi'"
69            - '.msi"'
70            - ".bat"
71            - ".bat'"
72            - '.bat"'
73            - ".exe"
74            - ".exe'"
75            - '.exe"'
76            - ".vbs"
77            - ".vbs'"
78            - '.vbs"'
79            - ".vbe"
80            - ".vbe'"
81            - '.vbe"'
82            - ".hta"
83            - ".hta'"
84            - '.hta"'
85            - ".dll"
86            - ".dll'"
87            - '.dll"'
88            - ".psm1"
89            - ".psm1'"
90            - '.psm1"'
91    condition: all of selection_*
92falsepositives:
93    - Unknown
94level: high

References

Related rules

to-top