Adversaries may use Curl to download malicious payloads, leveraging this technique to establish command and control or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
KQL Query
let known_files = DeviceNetworkEvents
| where Timestamp between (ago(7d)..ago(1d))
| where InitiatingProcessFileName has "curl"
| extend url = extract("http[s]?:\\/\\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+", 0,InitiatingProcessCommandLine)
| extend ip = extract("(\\b25[0-5]|\\b2[0-4][0-9]|\\b[01]?[0-9][0-9]?)(\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}[^ ]*", 0, InitiatingProcessCommandLine)
| extend remote_file = iif(isnotempty(url), url, ip)
| summarize by remote_file;
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has "curl"
| extend url = extract("http[s]?:\\/\\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+", 0,InitiatingProcessCommandLine)
| extend ip = extract("(\\b25[0-5]|\\b2[0-4][0-9]|\\b[01]?[0-9][0-9]?)(\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}[^ ]*", 0, InitiatingProcessCommandLine)
| extend remote_file = iif(isnotempty(url), url, ip)
| where remote_file !in (known_files)
id: fac7874e-00de-4509-85f2-9aa02ea9887f
name: KNOTWEED-Downloading new file using Curl
description: |
'This query looks for new files being downloaded using Curl.'
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
relevantTechniques:
query: |
let known_files = DeviceNetworkEvents
| where Timestamp between (ago(7d)..ago(1d))
| where InitiatingProcessFileName has "curl"
| extend url = extract("http[s]?:\\/\\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+", 0,InitiatingProcessCommandLine)
| extend ip = extract("(\\b25[0-5]|\\b2[0-4][0-9]|\\b[01]?[0-9][0-9]?)(\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}[^ ]*", 0, InitiatingProcessCommandLine)
| extend remote_file = iif(isnotempty(url), url, ip)
| summarize by remote_file;
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has "curl"
| extend url = extract("http[s]?:\\/\\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+", 0,InitiatingProcessCommandLine)
| extend ip = extract("(\\b25[0-5]|\\b2[0-4][0-9]|\\b[01]?[0-9][0-9]?)(\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}[^ ]*", 0, InitiatingProcessCommandLine)
| extend remote_file = iif(isnotempty(url), url, ip)
| where remote_file !in (known_files)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update via Curl
Description: A system administrator uses Curl to download a legitimate system update from a trusted internal repository.
Filter/Exclusion: process.parent_process_name:"Windows Update" OR process.parent_process_name:"Task Scheduler" OR file.source_ip IN ("10.0.0.1", "10.0.0.2")
Scenario: Admin performing manual file download for troubleshooting
Description: An admin uses Curl to download a diagnostic tool or log file from a known internal server for troubleshooting purposes.
Filter/Exclusion: process.user_name:"admin" AND file.destination_path:"C:\\Temp\\" OR process.user_name:"admin" AND file.destination_path:"C:\\Logs\\"
Scenario: CI/CD pipeline pulling dependencies using Curl
Description: A continuous integration/continuous deployment (CI/CD) pipeline uses Curl to fetch dependencies from a private artifact repository.
Filter/Exclusion: process.parent_process_name:"Jenkins" OR process.parent_process_name:"GitLab CI" OR file.destination_path:"C:\\CI\\artifacts\\"
Scenario: Internal tool for data synchronization using Curl
Description: A custom internal tool, such as a data sync utility, uses Curl to transfer files between servers within the enterprise network.
Filter/Exclusion: process.name:"sync_tool.exe" OR file.destination_path:"C:\\Sync\\Data\\" OR file.source_ip IN ("10.10.0.0/24")
Scenario: User downloading a file for personal use (e.g., software license)
Description: A user downloads a software license file or a legitimate tool from an internal file share using Curl.
Filter/Exclusion: `file.destination_path:“C:\Users\