Detection Query 1: | (resourcename = "Sysmon" AND eventtype = "1" ) AND image = "\curl.exe" AND originalfilename = "curl.exe" AND commandline In (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1") |
Detection Query 2: | (technologygroup = "EDR" ) AND image = "\curl.exe" AND originalfilename = "curl.exe" AND commandline In (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1") |
Detection Query 3: | ((resourcename = "Windows Security" AND eventtype = "4688" ) AND newprocessname = "\curl.exe" ) AND message IN (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1") |
Detection Query 4: | (technologygroup = "EDR") AND newprocessname = "\curl.exe" AND message IN (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1") |