Suspicious Curl File Upload - Linux

Original Source: [Sigma source]
Title: Suspicious Curl File Upload - Linux
Status: test
Description:Detects a suspicious curl process start the adds a file to a web request
References:
  -https://twitter.com/d1r4c/status/1279042657508081664
   -https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
   -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
   -https://curl.se/docs/manpage.html
   -https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
 Author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
Date: 2022-09-15
modified:2023-05-02
Tags:
  • -'attack.exfiltration'
  • -'attack.t1567'
  • -'attack.t1105'
Logsource:
  • category: process_creation
  • product: linux
Detection:
  selection_img:
    Image|endswith: '/curl'
  selection_cli:
    - CommandLine|contains:
      - ' --form'
      - ' --upload-file '
      - ' --data '
      - ' --data-'
CommandLine|re:'\s-[FTd]\s'   filter_optional_localhost:
    CommandLine|contains:
      -'://localhost'
      -'://127.0.0.1'

  condition:all of selection_* and not 1 of filter_optional_*
Falsepositives:
  -Scripts created by developers and admins
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.