Curl Web Request With Potential Custom User-Agent

title: Curl Web Request With Potential Custom User-Agent
id: 85de1f22-d189-44e4-8239-dc276b45379b
status: test
description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
modified: 2025-12-11
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    # Example: This command line would trigger the rule
    # curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_header_flag_1:
        CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
    selection_header_flag_2:
        CommandLine|contains: '--header'
    selection_user_agent:
        CommandLine|contains: 'User-Agent:'
    condition: selection_img and 1 of selection_header_* and selection_user_agent
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml