Detecting Covert curl Usage with Uncoder AI’s Decision Tree in Carbon Black

[post-views]
May 02, 2025 · 4 min read
Detecting Covert curl Usage with Uncoder AI’s Decision Tree in Carbon Black

When attackers repurpose legitimate binaries like curl.exe to tunnel through SOCKS proxies and access .onion domains, it poses a major visibility gap for defenders. These behaviors can signal C2 activity, data staging, or use of a backdoor like Kalambur.

VMware Carbon Black allows you to detect these patterns with detailed command-line monitoring, but parsing the query logic can be a slow, error-prone task. Enter Uncoder AI’s AI-generated Decision Tree, which breaks this down into an interactive, visualized path to clarity.

Explore Uncoder AI

Detection Focus: curl + Proxy Tunnels + .onion Targets

The Carbon Black query identifies potentially malicious execution of curl.exe with three required conditions:

  1. The process is curl.exe, identified via:
    • process_name:*\\curl\.exe – wildcard matching ensures flexibility across directory paths
  2. Command-line proxy usage, matched via:
    • socks5h://
    • socks5://
    • socks4a://
  3. .onion domain targeting, which is a strong signal of TOR network activity:

process_cmdline:*\.onion*

Input we used (click to show the text)

(process_name:*\\curl\.exe AND process_cmdline:(*socks5h\:\/\/* OR *socks5\:\/\/* OR *socks4a\:\/\/*) AND process_cmdline:*\.onion*)

This means the detection only fires when curl is used to reach dark web services through proxy obfuscation.

What the AI-generated Decision Tree Revealed

Uncoder AI translated this detection into a logical path using AND branches:

  • The process must be curl.exe
  • The command line must include at least one SOCKS proxy pattern

The command line must also contain a .onion reference

This full-stack visualization makes detection logic readable, presentable, and explainable across security teams.

AI Output (click to show the text)

The condition part of the given carbonblack query is a decision tree that evaluates the following criteria:
1. **process_name:**\*\\curl\.exe
   - This checks if the process name matches `curl.exe`. The `\*` is a wildcard character that can match any characters before and after "curl.exe", ensuring that the rule applies regardless of the path or other variations in the executable's naming.
2. **process_cmdline:**(\*socks5h\:\/\/* OR \*socks5\:\/\/* OR \*socks4a\:\/\/*)
   - This examines the command line arguments of the process (in this case, `curl.exe`) for specific patterns related to SOCKS proxy connections.
     - **\*socks5h\:\/\/***: Matches if the command line includes a string indicating a SOCKS5 proxy connection with host resolution happening on the client side (`socks5h`).
     - **\*socks5\:\/\/***: Looks for indications of a standard SOCKS5 proxy connection.
     - **\*socks4a\:\/\/***: Checks for SOCKS4a proxy connections, which is similar to SOCKS4 but allows the client to pass the destination server's domain name rather than just its IP address.
3. **process_cmdline:**\*\.onion*
   - This condition checks if the command line arguments of `curl.exe` include a string that ends with `.onion`. The `.onion` top-level domain is used for hidden services within the Tor network, indicating an attempt to connect to or access content on the dark web.
**Decision Tree Logic:**
- All conditions must be true (`AND` operator).
  - The process being executed must be `curl.exe`.
  - The command line of `curl.exe` must contain arguments specifying a SOCKS proxy connection (either socks5h, socks5, or socks4a) to access content.
  - Additionally, the command line must include an argument that contains `.onion`, suggesting the target is a Tor hidden service.
This decision tree aims to identify and potentially block or alert on instances where `curl.exe` is used to access dark web content via SOCKS proxy connections.

Why This Matters

  • Reduces Time to Understand: Instead of reading through regex-heavy command-line filters, analysts instantly see what’s being validated.
  • Improves Auditability: The decision tree can be shared in detection review sessions or compliance documentation.
  • Enhances Threat Hunting: When searching for curl misuse, analysts now have the full logic exposed in one intuitive flow.

This is particularly useful when monitoring for low-noise, high-evasion TTPs—such as malware using native tools to access dark web infrastructure.

From Query to Confidence, Instantly

The combination of Carbon Black telemetry and Uncoder AI’s decision tree logic gives SOCs a fast lane from rule logic to real-world response. You don’t just detect threats—you understand them before they escalate.

Explore Uncoder AI

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts