heroui logo

Linux Ingress Tool Transfer with Curl

Splunk Security Content

View Source
Summary
This analytic rule is designed to detect potentially unauthorized transfers of files using the curl command in Linux environments, specifically targeting the use of flags that facilitate the retrieval of remote content. The detection mechanism utilizes data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments associated with the curl command. Given that the identified flags, such as -O, -sO, -ksO, and --output, imply downloading scripts or binaries from remote locations, this behavior is often associated with the initial phase of cyberattacks where an attacker seeks to implant malware or gain further access to the system. The analytics provided will generate alerts when the conditions specified are met, and security analysts can investigate further based on user and process information gathered through the datamodel for Endpoint Processes. To effectively mitigate the risk, organizations must establish protocols for analyzing the contextual usage of curl, especially in environments where downloads are restricted or monitored.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
  • Logon Session
ATT&CK Techniques
  • T1105
Created: 2024-12-19