
Summary
This rule detects suspicious usage of the 'curl' command on Linux systems where user-agent options are explicitly set. The detection triggers when processes with the image name ending in '/curl' are executed, and the command line passed to these processes contains the parameters '-A' or '--user-agent'. Given that curl is often used in command-and-control scenarios by attackers to obfuscate legitimate traffic, its usage with atypical user-agents is flagged for further investigation. False positives may occur in legitimate development or administrative activities, where scripts often incorporate user-agent specifications to mimic browser requests. This rule is critical for monitoring potentially malicious activity and is relevant in contexts where user-agent manipulation could indicate an attempt to bypass network defenses or exfiltrate data discreetly.
Categories
- Linux
Data Sources
- Process
Created: 2022-09-15