splApache-2.0from splunk/security_content
Windows Curl Download to Suspicious Path
The following analytic detects the use of Windows Curl.exe to download a file to a suspicious location, such as AppData, ProgramData, or Public directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include the -O or --output options. This activity is significant because downloading files to these locations can indicate an attempt to bypass security controls or establish persistence. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further compromise of the system.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_curl_download_to_suspicious_path.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where
(
Processes.process_name=curl.exe
OR
Processes.original_file_name=Curl.exe
)
Processes.process IN ("*-O *","*--output*", "*--output-dir*")
Processes.process IN (
"*:\\PerfLogs\\*",
"*:\\Windows\\Temp\\*",
"*\\AppData\\*",
"*\\ProgramData\\*",
"*\\Users\\Public\\*",
"*%AppData%*",
"*%Public%*",
"*%Temp%*",
"*%tmp%*"
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_curl_download_to_suspicious_path_filter`