Potential Data Exfiltration Through Curl
This rule detects potential data exfiltration attempts on Linux systems using the curl command-line tool to upload files to external servers, potentially indicating unauthorized data transfer.
The rule "Potential Data Exfiltration Through Curl" detects the use of the curl command-line tool on Linux systems to upload files to external servers. Threat actors often use tools like curl to exfiltrate collected data to their command and control (C2) server. While curl has legitimate uses, its use for uploading data to external servers is considered abnormal and suspicious. This activity is monitored by analyzing process execution events for specific command-line arguments and patterns associated with data uploads. The rule focuses on Linux systems and triggers on curl commands using arguments such as -T, --upload-file, -F, -d, or --data* when used in conjunction with file uploads to external network destinations. The rule was last updated on March 13, 2026 and leverages data from Elastic Defend, Crowdstrike, and SentinelOne.
Attack Chain
- The attacker gains initial access to the Linux system (e.g., via SSH or exploiting a vulnerability).
- The attacker collects sensitive data from the compromised system (e.g., configuration files, databases, logs).
- The attacker compresses the collected data into an archive (e.g., using
tar,gzip, orzip). - The attacker uses the
curlcommand to upload the compressed archive to an external server. The command includes arguments such as-Tor--upload-fileto specify the file to upload. - The
curlcommand establishes a network connection to the attacker's C2 server or a controlled exfiltration point. - The compressed data is transmitted over HTTP, HTTPS, FTP, or FTPS protocols to the external server.
- The attacker receives the exfiltrated data on the external server.
- The attacker may attempt to remove traces of the exfiltration activity from the compromised system (e.g., deleting temporary files, clearing logs).
Impact
Successful exploitation can lead to the exfiltration of sensitive data, including confidential documents, credentials, or proprietary information. The severity depends on the type and volume of data compromised. Data exfiltration can lead to financial losses, reputational damage, legal repercussions, and loss of competitive advantage. This detection is crucial for organizations that need to protect sensitive data residing on Linux systems, and prevent unauthorized access. The rule is designed to detect suspicious curl usage that deviates from normal system behavior.
Recommendation
- Deploy the Sigma rule
Potential Data Exfiltration Through Curlto your SIEM and tune for your environment. - Investigate any alerts generated by the Sigma rule by examining the process command line, parent process, and network logs.
- Enable Elastic Defend integration as documented in the rule
Setupsection to provide the necessary data source. - Review and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers as mentioned in the rule's
Response and remediationsection.
Detection coverage 2
Potential Data Exfiltration Through Curl - Process Creation
mediumDetects the use of curl to upload files to an internet server.
Potential Data Exfiltration Through Curl - Data Parameter
mediumDetects curl commands using -F, -d, or --data* with file uploads.
Detection queries are available on the platform. Get full rules →