title: Suspicious Curl Usage on Windows
author: Florian Roth
date: 2020/07/03
description: Detects a suspicious curl process start on Windows and outputs the requested
  document to a local file
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\curl.exe'
  SELECTION_3:
    Product: The curl executable
  SELECTION_4:
    CommandLine: '* -O *'
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Scripts created by developers and admins
- Administrative activity
fields:
- CommandLine
- ParentCommandLine
id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2020/09/05
references:
- https://twitter.com/reegun21/status/1222093798009790464
status: experimental
tags:
- attack.command_and_control
- attack.t1105