Threat Huntmediumtest

Curl.EXE Execution With Custom UserAgent

Detects execution of curl.exe with custom useragent options

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Jan 23Updated Tue Feb 213286d37a-00fd-41c2-a624-a672dcd34e60windows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_curl:
        - Image|endswith: '\curl.exe'
        - Product: 'The curl executable'
    selection_opt:
        CommandLine|contains:
            - ' -A '
            - ' --user-agent '
    condition: all of selection_*

False Positives

Scripts created by developers and admins

Administrative activity

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Sub-techniques

T1071.001 · Web Protocols

Other

detection.threat-hunting

Rule Metadata

Rule ID

3286d37a-00fd-41c2-a624-a672dcd34e60

Status

test

Level

medium

Type

Threat Hunt

Created

Sun Jan 23

Modified

Tue Feb 21

Author

François Hubaut

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml

Raw Tags

attack.command-and-controlattack.t1071.001detection.threat-hunting

View on GitHub