title: Suspicious Curl Usage on Windows
id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
status: experimental
description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
author: Florian Roth
date: 2020/07/03
modified: 2020/09/05
references:
    - https://twitter.com/reegun21/status/1222093798009790464
logsource:
    category: process_creation
    product: windows
tags:
    - attack.command_and_control
    - attack.t1105
detection:
    selection1:
        Image|endswith: '\curl.exe'
    selection2:
        Product: 'The curl executable'
    selection3: 
        CommandLine|contains: ' -O '
    condition: ( selection1 or selection2 ) and selection3
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium