Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule: Renamed Curl Execution #4466

Closed
wants to merge 16 commits into from
Closed

Rule: Renamed Curl Execution #4466

Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
22051ae
Qakbot uninstaller
Neo23x0 Aug 31, 2023
97b87a6
Apply suggestions from code review
nasbench Aug 31, 2023
829bfbf
Update rules/windows/process_creation/proc_creation_win_fbi_qbot_clea…
nasbench Aug 31, 2023
6d456c0
feat: update Qakbot rules
nasbench Aug 31, 2023
90c9e50
update
Neo23x0 Sep 1, 2023
370c396
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into ru…
Neo23x0 Sep 1, 2023
6c93b5e
fix: removed shellcode rule
Neo23x0 Sep 1, 2023
53f9b5d
Merge branch 'master' into rule-devel
nasbench Sep 1, 2023
a0849ae
Merge branch 'master' into rule-devel
Neo23x0 Sep 5, 2023
ce0a765
PPLBlade dump
Neo23x0 Sep 5, 2023
496e6d6
fix: Sysmon suspicious process parent
Neo23x0 Sep 13, 2023
fbeafbb
Merge branch 'master' into rule-devel
Neo23x0 Sep 13, 2023
0b43ab6
Update file_event_win_lsass_default_dump_file_names.yml
nasbench Sep 13, 2023
ce2201a
Update proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
nasbench Sep 13, 2023
6f4d003
Merge branch 'master' into rule-devel
Neo23x0 Sep 29, 2023
e48101e
new: renamed curl execution
Neo23x0 Sep 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions rules/windows/process_creation/proc_creation_win_renamed_curl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
title: Renamed Curl Execution
id: 77b2c64f-5390-4a71-9d8d-a0488a920e42
status: experimental
description: Detects the execution of a renamed curl.exe binary, a technique often used by attackers to bypass security controls. Monitoring for such activity aids in quickly detecting potential unauthorized or malicious actions involving data transfer.
references:
- https://curl.se/
author: Florian Roth (Nextron Systems)
date: 2023/09/29
tags:
- attack.t1105
- attack.t1570
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'curl.exe'
- Description: 'The curl executable' # there are case-varied versions of this but Sigma is case-insensitive
- Company:
- 'curl, https://curl.se/' # there are case-varied versions of this but Sigma is case-insensitive
- 'curl, https://curl.haxx.se/' # there are case-varied versions of this but Sigma is case-insensitive
filter:
Image|contains: '\curl'
condition: selection and not filter
falsepositives:
- It's common for certain software to rename and use curl for legitimate purposes, so this can occasionally lead to false positives
level: medium