[rule] description = """ Detects when Curl is seen creating a .pdf or .doc file in a suspicious directory like /tmp or /users/shared. A recent DPRK sample was seen downloading a decoy document via Curl like this. """ id = "a39d0c2f-30d0-4a32-b198-41b135f85bad" license = "Elastic License v2" name = "Decoy Document Creation via Curl" os_list = ["macos"] reference = ["https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf"] version = "1.0.7" query = ''' file where event.action == "modification" and file.path like ("/tmp/*", "/private/tmp/*", "/Users/Shared/*", "/Users/*/Library/*") and file.extension in ("pdf", "doc") and process.name in ("curl", "nscurl") ''' min_endpoint_version = "8.11.0" optional_actions = [] [[actions]] action = "kill_process" field = "Effective_process.entity_id" state = 0 [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" [[threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" [threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [internal] min_endpoint_version = "8.11.0"