Visualizing Malicious curl Proxy Activity in CrowdStrike with Uncoder AI

[post-views]
May 02, 2025 · 3 min read
Visualizing Malicious curl Proxy Activity in CrowdStrike with Uncoder AI

Adversaries frequently repurpose trusted tools like curl.exe to tunnel traffic through SOCKS proxies and even reach .onion domains. Whether it’s for data exfiltration or command-and-control communication, such activity often flies under the radar—unless you’re explicitly detecting for it.

This is exactly what CrowdStrike Endpoint Security Query Language allows teams to do. But when logic grows dense, detection engineers and SOC analysts alike benefit from Uncoder AI’s AI-generated Decision Tree, which lays out every branch of the rule in a clean, visual format.

Explore Uncoder AI

Detection Objective: curl.exe + TOR Proxy Indicators

The CrowdStrike detection rule monitors for:

  • Process execution of curl.exe, checked via both ImageFileName and ApplicationName fields
  • SOCKS proxy arguments, such as socks5h://, socks5://, or socks4a:// in:
    • The command line
    • The command history
  • Access to .onion domains, indicating dark web communication

This multi-faceted query uses both command-line and historical arguments to ensure thorough visibility into how curl.exe is being leveraged.

Input we used (click to show the text)

((ImageFileName=/\\curl\.exe$/i or ApplicationName=/\\curl\.exe$/i) ((CommandLine=/socks5h\:\/\//i or CommandLine=/socks5\:\/\//i or CommandLine=/socks4a\:\/\//i) or (CommandHistory=/socks5h\:\/\//i or CommandHistory=/socks5\:\/\//i or CommandHistory=/socks4a\:\/\//i)) (CommandLine=/\.onion/i or CommandHistory=/\.onion/i))

What the AI Decision Tree Revealed

Uncoder AI broke this into a clear sequence of logical conditions:

  1. Initial Process Match
    • ImageFileName or ApplicationName must end with curl.exe (case-insensitive)
  2. SOCKS Proxy Usage Evidence
    • Detected via CommandLine or CommandHistory matching SOCKS patterns (socks5h, socks5, socks4a)
  3. .onion Traffic Detection
    • Detected again in both CommandLine and CommandHistory

The tree structure also separates AND logic from internal OR evaluations:

  • You only trigger an alert when all three branches are satisfied: process match, proxy usage, and .onion domain reference.

Real-World Value

With this decision tree, defenders can instantly interpret what this detection targets and why:

  • Identify backdoors like Kalambur or other implants using curl.exe to interact with hidden services.
  • Monitor for abuse of proxies and anonymizing layers that may be used to bypass perimeter defenses.

Pinpoint post-exploitation activity that attempts to blend with legitimate admin behavior.

From Regex to Readable Logic

What once looked like dense CrowdStrike regex and nested conditions is now visually transparent, thanks to Uncoder AI. This empowers:

  • Faster triage of curl-based alerts
  • Easier tuning and validation of detection rules
  • More accessible handoff between threat hunters and incident responders

Explore Uncoder AI

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts