← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Cookies Session Hijacking

Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.

Quality
72
FP risk
Forks
0
Views
0
Rule sourcerules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml
title: Potential Cookies Session Hijacking
id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
status: test
description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
references:
    - https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_cli:
        - CommandLine|re: '\s-c\s'
        - CommandLine|contains: '--cookie-jar'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml