sigmahighHunting

Curl Download And Execute Combination

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

MITRE ATT&CK

T1218 T1105

defense-evasioncommand-and-control

Detection Query

selection:
  CommandLine|contains|windash: " -c "
  CommandLine|contains|all:
    - "curl "
    - http
    - -o
    - "&"
condition: selection

Author

Sreeman, Nasreddine Bencherchali (Nextron Systems)

Created

2020-01-13

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983

Tags

attack.defense-evasionattack.t1218attack.command-and-controlattack.t1105

Raw Content

title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
    - attack.defense-evasion
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -c '
        CommandLine|contains|all:
            - 'curl '
            - 'http'
            - '-o'
            - '&'
    condition: selection
falsepositives:
    - Unknown
level: high