← Back to Explore
sigmamediumHunting
Insecure Proxy/DOH Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
Detection Query
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
selection_cli:
CommandLine|contains:
- --doh-insecure
- --proxy-insecure
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-07-27
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.execution
Raw Content
title: Insecure Proxy/DOH Transfer Via Curl.EXE
id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
status: test
description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
CommandLine|contains:
- '--doh-insecure'
- '--proxy-insecure'
condition: all of selection_*
falsepositives:
- Access to badly maintained internal or development systems
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml