Techniques
Sample rules
Linux Ingress Tool Transfer with Curl
- source: splunk
- technicques:
- T1105
Description
The following analytic detects the use of the curl command with specific switches (-O, -sO, -ksO, –output) commonly used to download remote scripts or binaries. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to download and execute potentially malicious files, often used in initial stages of an attack. If confirmed malicious, this could lead to unauthorized code execution, enabling attackers to compromise the system further.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where match(process, "(?i)(-O
|-sO
|-ksO
|--output)")
| `linux_ingress_tool_transfer_with_curl_filter`