Skip to content

Commit

Permalink
Adding signature for curl spotted in commands
Browse files Browse the repository at this point in the history
  • Loading branch information
cccs-kevin committed Sep 5, 2023

Verified

This commit was signed with the committer’s verified signature.
1 parent f3421e3 commit ef9735b
Showing 1 changed file with 29 additions and 0 deletions.
29 changes: 29 additions & 0 deletions modules/signatures/windows_utilities.py
Original file line number Diff line number Diff line change
@@ -619,6 +619,35 @@ def run(self):
return ret


class UsesWindowsUtilitiesCurl(Signature):
name = "uses_windows_utilities_curl"
description = "Uses the cURL utility, most likely to download a file"
severity = 1
categories = ["network"]
authors = ["@CybercentreCanada"]
minimum = "1.3"
evented = True
ttps = ["T1202"] # MITRE v6,7,8
mbcs = ["OB0009", "E1203.m06"]

def run(self):
utilities = [
"curl ",
"curl.exe ",
]

ret = False
cmdlines = self.results["behavior"]["summary"]["executed_commands"]
for cmdline in cmdlines:
lower = cmdline.lower()
for utility in utilities:
if utility in lower:
ret = True
self.data.append({"command": cmdline})

return ret


class UsesWindowsUtilitiesDSQuery(Signature):
name = "uses_windows_utilities_dsquery"
description = "Searches for an Active Directory object"

0 comments on commit ef9735b

Please sign in to comment.