Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_curl_download_direct_ip_susp_extensions

3description: |

4 Detects potentially suspicious file downloads directly from IP addresses using curl.exe

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\curl.exe' || evt.Parsed.OriginalFileName == 'curl.exe') && evt.Parsed.CommandLine matches '://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' && evt.Parsed.CommandLine contains 'http' && (evt.Parsed.CommandLine contains ' -O' || evt.Parsed.CommandLine contains '--remote-name' || evt.Parsed.CommandLine contains '--output') && (evt.Parsed.CommandLine endsWith '.bat' || evt.Parsed.CommandLine endsWith '.bat"' || evt.Parsed.CommandLine endsWith '.dat' || evt.Parsed.CommandLine endsWith '.dat"' || evt.Parsed.CommandLine endsWith '.dll' || evt.Parsed.CommandLine endsWith '.dll"' || evt.Parsed.CommandLine endsWith '.exe' || evt.Parsed.CommandLine endsWith '.exe"' || evt.Parsed.CommandLine endsWith '.gif' || evt.Parsed.CommandLine endsWith '.gif"' || evt.Parsed.CommandLine endsWith '.hta' || evt.Parsed.CommandLine endsWith '.hta"' || evt.Parsed.CommandLine endsWith '.jpeg' || evt.Parsed.CommandLine endsWith '.jpeg"' || evt.Parsed.CommandLine endsWith '.log' || evt.Parsed.CommandLine endsWith '.log"' || evt.Parsed.CommandLine endsWith '.msi' || evt.Parsed.CommandLine endsWith '.msi"' || evt.Parsed.CommandLine endsWith '.png' || evt.Parsed.CommandLine endsWith '.png"' || evt.Parsed.CommandLine endsWith '.ps1' || evt.Parsed.CommandLine endsWith '.ps1"' || evt.Parsed.CommandLine endsWith '.psm1' || evt.Parsed.CommandLine endsWith '.psm1"' || evt.Parsed.CommandLine endsWith '.vbe' || evt.Parsed.CommandLine endsWith '.vbe"' || evt.Parsed.CommandLine endsWith '.vbs' || evt.Parsed.CommandLine endsWith '.vbs"' || evt.Parsed.CommandLine endsWith '.bat\'' || evt.Parsed.CommandLine endsWith '.dat\'' || evt.Parsed.CommandLine endsWith '.dll\'' || evt.Parsed.CommandLine endsWith '.exe\'' || evt.Parsed.CommandLine endsWith '.gif\'' || evt.Parsed.CommandLine endsWith '.hta\'' || evt.Parsed.CommandLine endsWith '.jpeg\'' || evt.Parsed.CommandLine endsWith '.log\'' || evt.Parsed.CommandLine endsWith '.msi\'' || evt.Parsed.CommandLine endsWith '.png\'' || evt.Parsed.CommandLine endsWith '.ps1\'' || evt.Parsed.CommandLine endsWith '.psm1\'' || evt.Parsed.CommandLine endsWith '.vbe\'' || evt.Parsed.CommandLine endsWith '.vbs\''))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

15 label: "Suspicious File Download From IP Via Curl.EXE"

16 behavior : "windows:audit"

17 remediation: false

19scope:

20 type: ParentProcessId

21 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_curl_download_direct_ip_susp_extensions »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0confidence:1

« proc_creation_win_curl_download_direct_ip_susp_extensions »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0confidence:1