← Back to Explore
sigmamediumHunting
Potential Cookies Session Hijacking
Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
Detection Query
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
selection_cli:
- CommandLine|re: \s-c\s
- CommandLine|contains: --cookie-jar
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-07-27
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.execution
Raw Content
title: Potential Cookies Session Hijacking
id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
status: test
description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
- CommandLine|re: '\s-c\s'
- CommandLine|contains: '--cookie-jar'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml