Insecure Transfer Via Curl.EXE

Dec 25, 2025 · attack.execution ·

Detects execution of "curl.exe" with the "--insecure" flag.

Sigma rule (View on GitHub)

 1title: Insecure Transfer Via Curl.EXE
 2id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
 3status: test
 4description: Detects execution of "curl.exe" with the "--insecure" flag.
 5references:
 6    - https://curl.se/docs/manpage.html
 7author: X__Junior (Nextron Systems)
 8date: 2023-06-30
 9tags:
10    - attack.execution
11logsource:
12    product: windows
13    category: process_creation
14detection:
15    selection_img:
16        - Image|endswith: '\curl.exe'
17        - OriginalFileName: 'curl.exe'
18    selection_cli:
19        - CommandLine|re: '\s-k\s'
20        - CommandLine|contains: '--insecure'
21    condition: all of selection_*
22falsepositives:
23    - Access to badly maintained internal or development systems
24level: medium
25regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml

References

curl - How To Use

Options Keep Expanded Bottom right handle resizes. --abstract-unix-socket --alt-svc --anyauth -a, --append --aws-sigv4 --basic --ca-native --cacert --capath --cert-status --cert-type -E, --cert --c...

Read More

Insecure Transfer Via Curl.EXE

Sigma rule (View on GitHub)

References

curl - How To Use

Related rules