Potential Data Exfiltration Through Curl

Last updated 15 days ago on 2025-04-29

Created 15 days ago on 2025-04-29

About

Detects the use of curl to upload an archived file to an internet server. Threat actors often will collect data on a system and compress it in an archive file before exfiltrating the file back to their C2 server for review. Many threat actors have been seen utilizing curl to upload this archive file with the collected data to do this. Use of curl in this way while not inherently malicious should be considered highly abnormal and suspicious activity.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ExfiltrationData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

↳ Exfiltration Over Alternative Protocol (T1048)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and
process.parent.executable != null and (process.args in ("-F", "-T", "-d") or process.args like "--data*") and 
process.command_line like~ ("*@/*.zip*", "*@/*.gz*", "*@/*.tgz*", "*b64=@*", "*=<*") and
process.command_line like~ "*http*"

Install detection rules in Elastic Security

Detect Potential Data Exfiltration Through Curl in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).