Techniques
Sample rules
Windows Curl Download to Suspicious Path
- source: splunk
- technicques:
- T1105
Description
The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. -O or –output is used when a file is to be downloaded and placed in a specified location. During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN ("*-O *","*--output*") Processes.process IN ("*\\appdata\\*","*\\programdata\\*","*\\public\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_curl_download_to_suspicious_path_filter`