Hunting for the Curl vulnerability
By Gianni Castaldi
With the outlook of the release of the new Curl version, I thought it would be nice to know where Curl is being run and where it is making network connections. The data will become available in the vulnerability management reporting once available. For now, we will use the available tables and in this blog post, I will show 2 options. The first is based on the DeviceProcessEvents and the DeviceFileEvents table. The second is based on the network data.
For the first option, we will use the good old search operator. Normally we do not like to use it because it can return a lot of data, but as we learned a while ago in the blog post Searching and finding data it is also possible to only look in specific columns. The query will also DeviceNetworkEvents data but that should not be a problem:
search
InitiatingProcessFileName:"curl.exe" or
InitiatingProcessVersionInfoOriginalFileName:"curl.exe" or
ProcessVersionInfoOriginalFileName:"curl.exe" or
ProcessVersionInfoInternalFileName:"curl" or
InitiatingProcessVersionInfoInternalFileName:"curl"
| distinct $table
The second option is based on the Zeek data in Microsoft 365 Defender. We will do that in the following steps:
- Look in the DeviceNetworkEvents table
- Look for all ActionType that end with ConnectionInspected (Zeek powered data)
- Filter for curl in the additional fields because we do not want to parse all unnecessary fields
- Next, we parse the UserAgent from the AdditionalFields field
- The last step is to filter all user agents that contain curl
DeviceNetworkEvents
| where ActionType endswith "ConnectionInspected"
| where AdditionalFields contains "curl"
| extend UserAgent = parse_json(AdditionalFields).user_agent
| where UserAgent contains "curl"
As you can see in both examples we ignored best practices. We used search, although in combination with the column names for fast searching, and we used contains instead of has. While has can be faster, we do not know the exact formatting in the UserAgent field, so it is safer to use has instead of contains.
For searchability, I added the queries at my queries repository at Curl-CVE-2023-38545
Good luck with hunting and detecting this vulnerability.
Thanks for reading and if you have any questions or ideas for a blog post let me know.