From 25af1a08820f5cc1a2c3c16f003a947176ebb9d2 Mon Sep 17 00:00:00 2001 From: John Fawcett <43934323+jwfawcett@users.noreply.github.com> Date: Wed, 20 May 2026 08:35:54 -0400 Subject: [PATCH 1/2] Add files via upload Add Curl.exe to the list of LOLBAS --- yml/OSBinaries/CurlFinal.yml | 40 ++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 yml/OSBinaries/CurlFinal.yml diff --git a/yml/OSBinaries/CurlFinal.yml b/yml/OSBinaries/CurlFinal.yml new file mode 100644 index 00000000..6f9bd70d --- /dev/null +++ b/yml/OSBinaries/CurlFinal.yml @@ -0,0 +1,40 @@ +--- +Name: Curl.exe +Description: While the curl command in Powershell is just an alias for Invoke-WebRequest, curl.exe has much of the functionality of its Linux Counterpart. This may be able to be expanded. +Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, + - Alias: +Author: John Fawcett (5HR3K) +Created:2026-05-19 +Commands: + - Command: curl.exe -o newfile.txt https://www.example.com/file.txt + Description: Download a file + Usecase: Another method of downloading + Category: Download + Privileges: User + MitreID: Ingress Tool Transfer + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags:Download + - Key1: Value1 # Optional field for one or more tags + - Command: curl.exe --data-urlencode "" https:// + Description: Encode file and send via a POST request + Usecase: Possible AV Evasion + Category: Encoding + Privileges: User + MitreID: T1027.013: Encrypted/Encoded File + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\curl.exe +Code_Sample: + - Code: +Detection: + - IOC: Event ID 10 + - IOC: binary.exe spawned + - Analysis: https://example.com/to/blog/gist/writeup/if/applicable + - Sigma: https://example.com/to/sigma/rule/if/applicable + - Elastic: https://example.com/to/elastic/rule/if/applicable + - Splunk: https://example.com/to/splunk/rule/if/applicable + - BlockRule: https://example.com/to/microsoft/block/rules/if/applicable +Resources: + +Acknowledgement: + From fde850edac30d16d194362284e6a3632374a0c52 Mon Sep 17 00:00:00 2001 From: John Fawcett <43934323+jwfawcett@users.noreply.github.com> Date: Wed, 20 May 2026 09:51:14 -0400 Subject: [PATCH 2/2] Update CurlFinal.yml --- yml/OSBinaries/CurlFinal.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/yml/OSBinaries/CurlFinal.yml b/yml/OSBinaries/CurlFinal.yml index 6f9bd70d..15db3a63 100644 --- a/yml/OSBinaries/CurlFinal.yml +++ b/yml/OSBinaries/CurlFinal.yml @@ -1,31 +1,33 @@ --- Name: Curl.exe -Description: While the curl command in Powershell is just an alias for Invoke-WebRequest, curl.exe has much of the functionality of its Linux Counterpart. This may be able to be expanded. -Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, - - Alias: +Description: While the curl command in Powershell is just an alias for + Invoke-WebRequest, curl.exe has much of the functionality of its Linux + Counterpart. This may be able to be expanded. +Aliases: + - Alias: null Author: John Fawcett (5HR3K) -Created:2026-05-19 +Created: 2026-05-19 Commands: - Command: curl.exe -o newfile.txt https://www.example.com/file.txt - Description: Download a file - Usecase: Another method of downloading + Description: Download a file + Usecase: Another method of downloading Category: Download Privileges: User MitreID: Ingress Tool Transfer OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Tags:Download - - Key1: Value1 # Optional field for one or more tags + Tags: + - Key1: Download - Command: curl.exe --data-urlencode "" https:// Description: Encode file and send via a POST request - Usecase: Possible AV Evasion + Usecase: Possible AV Evasion Category: Encoding Privileges: User - MitreID: T1027.013: Encrypted/Encoded File + MitreID:T1027.013: Encrypted/Encoded File OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\curl.exe Code_Sample: - - Code: + - Code: null Detection: - IOC: Event ID 10 - IOC: binary.exe spawned @@ -34,7 +36,6 @@ Detection: - Elastic: https://example.com/to/elastic/rule/if/applicable - Splunk: https://example.com/to/splunk/rule/if/applicable - BlockRule: https://example.com/to/microsoft/block/rules/if/applicable -Resources: - -Acknowledgement: +Resources: null +Acknowledgement: null