Insecure Proxy/DOH Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
Sigma rule (View on GitHub)
1title: Insecure Proxy/DOH Transfer Via Curl.EXE
2id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
3status: experimental
4description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
5references:
6 - https://curl.se/docs/manpage.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/07/27
9tags:
10 - attack.execution
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection_img:
16 - Image|endswith: '\curl.exe'
17 - OriginalFileName: 'curl.exe'
18 selection_cli:
19 CommandLine|contains:
20 - '--doh-insecure'
21 - '--proxy-insecure'
22 condition: all of selection_*
23falsepositives:
24 - Access to badly maintained internal or development systems
25level: medium
References
Related rules
- Curl Web Request With Potential Custom User-Agent
- Local File Read Using Curl.EXE
- Potential Cookies Session Hijacking
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry