← Back to Explore
sigmamediumHunting
Insecure Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "--insecure" flag.
Detection Query
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
selection_cli:
- CommandLine|re: \s-k\s
- CommandLine|contains: --insecure
condition: all of selection_*
Author
X__Junior (Nextron Systems)
Created
2023-06-30
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.execution
Raw Content
title: Insecure Transfer Via Curl.EXE
id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
status: test
description: Detects execution of "curl.exe" with the "--insecure" flag.
references:
- https://curl.se/docs/manpage.html
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
- CommandLine|re: '\s-k\s'
- CommandLine|contains: '--insecure'
condition: all of selection_*
falsepositives:
- Access to badly maintained internal or development systems
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml