Date: 12/31/2025
Severity: Medium
Summary
Identifies the execution of curl.exe using the file:// protocol to access and read local files.
Indicators of Compromise (IOC) List
Image : | \curl.exe |
OriginalFileName : | curl.exe |
Commandline : | 'file:///' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | resourcename = "Windows Security" AND eventtype = "4688" AND processname like "\curl.exe" and originalfilename like "curl.exe" and commandline like "file:///" |
Detection Query 2 | technologygroup = "EDR" AND processname like "\curl.exe" and originalfilename like "curl.exe" and commandline like "file:///" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml