valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
sreemanshanker 2020-01-30 11:29:01 +08:00 committed by GitHub
parent ba7c634f1a
commit d5c7b4795d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
rules/windows/process_creation/Monitoring curl for LOLbin execution.yml Normal file
View File

@ -0,0 +1,28 @@
Reference: https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
author: Sreeman
description: Adversaries can use curl to download payloads remotely and execute them
without touching disk. Curl is included by default in Windows 10 build 17063 and
later.
detection:
condition: selection
selection:
CommandLine|re:
- .*(?i)curl.*(http|https|ftp|ftps)://\b(?:\d{1,3}\.){3}\d{1,3}\b./*.* &[&]?
start.*
- .*(?i)curl.*(http|https|ftp|ftps)://.*/.* &[&]? start.*
falsepositives:
- unlikely
fields:
- CommandLine
level: medium
logsource:
category: process_creation
product: windows
status: stable
title: Monitoring curl for LOLbin execution
tags:
- attack.defense evasion
- attack.execution
- attack.g0032
- attack.g0068
- attack.t1059