LoFP / access to badly maintained internal or development systems

Techniques

Sample rules

Insecure Transfer Via Curl.EXE

source: sigma
technicques:

Description

Detects execution of “curl.exe” with the “–insecure” flag.

Detection logic

condition: all of selection_*
selection_cli:
- CommandLine|re: \s-k\s
- CommandLine|contains: --insecure
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe

Insecure Proxy/DOH Transfer Via Curl.EXE

source: sigma
technicques:

Description

Detects execution of “curl.exe” with the “insecure” flag over proxy or DOH.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - --doh-insecure
  - --proxy-insecure
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe