Detectionmediumtest

Insecure Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "--insecure" flag.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

X__Junior (Nextron Systems)Created Fri Jun 30cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ecwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_cli:
        - CommandLine|re: '\s-k\s'
        - CommandLine|contains: '--insecure'
    condition: all of selection_*

False Positives

Access to badly maintained internal or development systems

References

Resolving title…

curl.se

Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0002 · Execution

Rule Metadata

Rule ID

cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec

Status

test

Level

medium

Type

Detection

Created

Fri Jun 30

Author

X__Junior (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml

Raw Tags

attack.execution

View on GitHub