heroui logo

Suspicious Curl Change User Agents - Linux

Sigma Rules

View Source
Summary
This rule detects suspicious usage of the 'curl' command on Linux systems where user-agent options are explicitly set. The detection triggers when processes with the image name ending in '/curl' are executed, and the command line passed to these processes contains the parameters '-A' or '--user-agent'. Given that curl is often used in command-and-control scenarios by attackers to obfuscate legitimate traffic, its usage with atypical user-agents is flagged for further investigation. False positives may occur in legitimate development or administrative activities, where scripts often incorporate user-agent specifications to mimic browser requests. This rule is critical for monitoring potentially malicious activity and is relevant in contexts where user-agent manipulation could indicate an attempt to bypass network defenses or exfiltrate data discreetly.
Categories
  • Linux
Data Sources
  • Process
Created: 2022-09-15