Suspicious Curl Usage with SOCKS Proxy or TOR

Rule Info

Name
Suspicious Curl Usage with SOCKS Proxy or TOR
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects curl usage to access a SOCKS proxy or TOR. Normal users rarely use these proxies or onion services, making this activity potentially suspicious. Adversaries may exploit the curl utility to access their malicious domains, either to upload collected information or download potentially malicious software.
Reference
https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
Date
2025-02-13 00:00:00
Modified
None
Id
5f837594-4c19-44b5-8e21-5651f1572492
Tags
attack.command-and-control attack.t1005
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022