Local File Read Using Curl.EXE
Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
Sigma rule (View on GitHub)
1title: Local File Read Using Curl.EXE
2id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
3status: test
4description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
5references:
6 - https://curl.se/docs/manpage.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-07-27
9tags:
10 - attack.execution
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection_img:
16 - Image|endswith: '\curl.exe'
17 - OriginalFileName: 'curl.exe'
18 selection_cli:
19 CommandLine|contains: 'file:///'
20 condition: all of selection_*
21falsepositives:
22 - Unknown
23level: medium
24regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml
References
-
Options Keep Expanded Bottom right handle resizes. --abstract-unix-socket --alt-svc --anyauth -a, --append --aws-sigv4 --basic --ca-native --cacert --capath --cert-status --cert-type -E, --cert --c...
Read More
Related rules
- Curl Web Request With Potential Custom User-Agent
- File Download From IP URL Via Curl.EXE
- Insecure Proxy/DOH Transfer Via Curl.EXE
- Insecure Transfer Via Curl.EXE
- Potential Cookies Session Hijacking