Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Insecure Proxy/DOH Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Jul 272c1486f5-02e8-4f86-9099-b97f2da4ed77windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_cli:
        CommandLine|contains:
            - '--doh-insecure'
            - '--proxy-insecure'
    condition: all of selection_*
False Positives

Access to badly maintained internal or development systems

References
1
Resolving title…
curl.se
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
2c1486f5-02e8-4f86-9099-b97f2da4ed77
Status
test
Level
medium
Type
Detection
Created
Thu Jul 27
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml
Raw Tags
attack.execution
View on GitHub