← Back to SOC feed Coverage →

Suspicious Curl.EXE Download

sigma HIGH SigmaHQ
T1105
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-07T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Detection Rule

Sigma (Original)

title: Suspicious Curl.EXE Download
id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
related:
    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
      type: derived
    - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download
      type: similar
status: test
description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
references:
    - https://twitter.com/max_mal_/status/1542461200797163522
    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
    - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
    - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2023-02-21
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_curl:
        - Image|endswith: '\curl.exe'
        - Product: 'The curl executable'
    selection_susp_locations:
        CommandLine|contains:
            - '%AppData%'
            - '%Public%'
            - '%Temp%'
            - '%tmp%'
            - '\AppData\'
            - '\Desktop\'
            - '\Temp\'
            - '\Users\Public\'
            - 'C:\PerfLogs\'
            - 'C:\ProgramData\'
            - 'C:\Windows\Temp\'
    selection_susp_extensions:
        CommandLine|endswith:
            - '.dll'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.png'
            - '.temp'
            - '.tmp'
            - '.txt'
            - '.vbe'
            - '.vbs'
    filter_optional_git_windows:
        # Example FP
        #   CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
        ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
        Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
        CommandLine|contains|all:
            - '--silent --show-error --output '
            - 'gfw-httpget-'
            - 'AppData'
    condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/info.yml
simulation:
    - type: atomic-red-team
      name: Curl Download File
      technique: T1105
      atomic_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\curl.exe" or TargetProcessFileProduct =~ "The curl executable") and ((TargetProcessCommandLine contains "%AppData%" or TargetProcessCommandLine contains "%Public%" or TargetProcessCommandLine contains "%Temp%" or TargetProcessCommandLine contains "%tmp%" or TargetProcessCommandLine contains "\\AppData\\" or TargetProcessCommandLine contains "\\Desktop\\" or TargetProcessCommandLine contains "\\Temp\\" or TargetProcessCommandLine contains "\\Users\\Public\\" or TargetProcessCommandLine contains "C:\\PerfLogs\\" or TargetProcessCommandLine contains "C:\\ProgramData\\" or TargetProcessCommandLine contains "C:\\Windows\\Temp\\") or (TargetProcessCommandLine endswith ".dll" or TargetProcessCommandLine endswith ".gif" or TargetProcessCommandLine endswith ".jpeg" or TargetProcessCommandLine endswith ".jpg" or TargetProcessCommandLine endswith ".png" or TargetProcessCommandLine endswith ".temp" or TargetProcessCommandLine endswith ".tmp" or TargetProcessCommandLine endswith ".txt" or TargetProcessCommandLine endswith ".vbe" or TargetProcessCommandLine endswith ".vbs")) and (not(((ParentProcessName =~ "C:\\Program Files\\Git\\usr\\bin\\sh.exe" or ActingProcessName =~ "C:\\Program Files\\Git\\usr\\bin\\sh.exe") and TargetProcessName =~ "C:\\Program Files\\Git\\mingw64\\bin\\curl.exe" and (TargetProcessCommandLine contains "--silent --show-error --output " and TargetProcessCommandLine contains "gfw-httpget-" and TargetProcessCommandLine contains "AppData"))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml