Renamed CURL.EXE Execution
Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
Sigma rule (View on GitHub)
1title: Renamed CURL.EXE Execution
2id: 7530cd3d-7671-43e3-b209-976966f6ea48
3status: test
4description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
5references:
6 - https://twitter.com/Kostastsale/status/1700965142828290260
7author: X__Junior (Nextron Systems)
8date: 2023-09-11
9modified: 2023-10-12
10tags:
11 - attack.execution
12 - attack.t1059
13 - attack.defense-evasion
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - OriginalFileName: 'curl.exe'
21 - Description: 'The curl executable'
22 filter_main_img:
23 Image|contains: '\curl'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Potential Arbitrary Command Execution Via FTP.EXE
- Renamed FTP.EXE Execution
- Renamed NirCmd.EXE Execution
- Renamed PingCastle Binary Execution
- Suspicious Runscripthelper.exe