Adversaries may use curl with modified user agents to evade detection and exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activity or data exfiltration attempts.
Detection Rule
title: Suspicious Curl Change User Agents - Linux
id: b86d356d-6093-443d-971c-9b07db583c68
related:
- id: 3286d37a-00fd-41c2-a624-a672dcd34e60
type: derived
status: test
description: Detects a suspicious curl process start on linux with set useragent options
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
CommandLine|contains:
- ' -A '
- ' --user-agent '
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
imProcessCreate
| where TargetProcessName endswith "/curl" and (TargetProcessCommandLine contains " -A " or TargetProcessCommandLine contains " --user-agent ")Scenario: System update or package installation using curl to fetch a repository index
Filter/Exclusion: Check for curl commands that include URLs matching known package repositories (e.g., http://archive.ubuntu.com, https://apt.ubuntu.com)
Example Filter: process.command_line contains "curl" and process.args contains "http://archive.ubuntu.com"
Scenario: Scheduled job to fetch logs or metrics from an internal monitoring system
Filter/Exclusion: Exclude processes associated with known monitoring tools (e.g., telegraf, datadog-agent, prometheus)
Example Filter: process.name in ("telegraf", "datadog-agent", "prometheus")
Scenario: Admin task to download a trusted configuration file or script from a secure internal server
Filter/Exclusion: Exclude curl commands that target internal IP ranges or known internal servers (e.g., 10.0.0.0/8, 192.168.0.0/16)
Example Filter: process.args contains "10.0.0." or process.args contains "192.168.0."
Scenario: CI/CD pipeline using curl to fetch dependencies or artifacts from a private registry
Filter/Exclusion: Exclude processes running under CI/CD user accounts (e.g., jenkins, gitlab-runner, circleci)
Example Filter: process.user in ("jenkins", "gitlab-runner", "circleci")
Scenario: User agent spoofing for API testing or development purposes
Filter/Exclusion: Exclude processes that include known development or testing tools (e.g., curl used with --user-agent in a test script)
**Example Filter