Suspicious Curl.EXE Download

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1105` Ingress Tool Transfer

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection_curl`

or:
Image|endswith: '\curl.exe'
Product: 'The curl executable'

Stage 2: `1 of selection_susp_locations`

or:
CommandLine|contains: '%AppData%'
CommandLine|contains: '%Public%'
CommandLine|contains: '%Temp%'
CommandLine|contains: '%tmp%'
CommandLine|contains: 'C:\PerfLogs\'
CommandLine|contains: 'C:\ProgramData\'
CommandLine|contains: 'C:\Windows\Temp\'
CommandLine|contains: '\AppData\'
CommandLine|contains: '\Desktop\'
CommandLine|contains: '\Temp\'
CommandLine|contains: '\Users\Public\'

Stage 3: `1 of selection_susp_extensions`

or:
CommandLine|endswith: .dll
CommandLine|endswith: .gif
CommandLine|endswith: .jpeg
CommandLine|endswith: .jpg
CommandLine|endswith: .png
CommandLine|endswith: .temp
CommandLine|endswith: .tmp
CommandLine|endswith: .txt
CommandLine|endswith: .vbe
CommandLine|endswith: .vbs

Stage 4: `not 1 of filter_optional_git_windows`

CommandLine|contains: '--silent --show-error --output '
CommandLine|contains: AppData
CommandLine|contains: gfw-httpget-
Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	ends_with	`.dll` corpus 9 (sigma 9) `.gif` corpus 4 (sigma 4) `.jpeg` corpus 4 (sigma 4) `.jpg` corpus 2 (sigma 2) `.png` corpus 4 (sigma 4) `.temp` corpus 2 (sigma 2) `.tmp` corpus 2 (sigma 2) `.txt` corpus 3 (sigma 3) `.vbe` corpus 7 (sigma 7) `.vbs` corpus 7 (sigma 7)
`CommandLine`	match	`%AppData%` corpus 7 (sigma 7) `%Public%` corpus 4 (sigma 4) `%Temp%` corpus 4 (sigma 4) `%tmp%` corpus 9 (sigma 9) `--silent --show-error --output` `AppData` `C:\PerfLogs\` `C:\ProgramData\` corpus 6 (sigma 6) `C:\Windows\Temp\` corpus 4 (sigma 4) `\AppData\` corpus 8 (sigma 8) `\Desktop\` corpus 11 (sigma 11) `\Temp\` corpus 7 (sigma 7) `\Users\Public\` corpus 17 (sigma 17) `gfw-httpget-`
`Image`	ends_with	`\curl.exe` corpus 19 (sigma 19)
`Image`	eq	`C:\Program Files\Git\mingw64\bin\curl.exe`
`ParentImage`	eq	`C:\Program Files\Git\usr\bin\sh.exe`
`Product`	eq	`The curl executable`

Suspicious Curl.EXE Download

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection_curl

Stage 2: 1 of selection_susp_locations

Stage 3: 1 of selection_susp_extensions

Stage 4: not 1 of filter_optional_git_windows

Indicators

Stage 1: `selection_curl`

Stage 2: `1 of selection_susp_locations`

Stage 3: `1 of selection_susp_extensions`

Stage 4: `not 1 of filter_optional_git_windows`