Skip to content
Threat Feed
medium advisory

Potential Data Exfiltration Through Curl

This rule detects potential data exfiltration attempts on Linux systems using the curl command-line tool to upload files to external servers, potentially indicating unauthorized data transfer.

The rule "Potential Data Exfiltration Through Curl" detects the use of the curl command-line tool on Linux systems to upload files to external servers. Threat actors often use tools like curl to exfiltrate collected data to their command and control (C2) server. While curl has legitimate uses, its use for uploading data to external servers is considered abnormal and suspicious. This activity is monitored by analyzing process execution events for specific command-line arguments and patterns associated with data uploads. The rule focuses on Linux systems and triggers on curl commands using arguments such as -T, --upload-file, -F, -d, or --data* when used in conjunction with file uploads to external network destinations. The rule was last updated on March 13, 2026 and leverages data from Elastic Defend, Crowdstrike, and SentinelOne.

Attack Chain

  1. The attacker gains initial access to the Linux system (e.g., via SSH or exploiting a vulnerability).
  2. The attacker collects sensitive data from the compromised system (e.g., configuration files, databases, logs).
  3. The attacker compresses the collected data into an archive (e.g., using tar, gzip, or zip).
  4. The attacker uses the curl command to upload the compressed archive to an external server. The command includes arguments such as -T or --upload-file to specify the file to upload.
  5. The curl command establishes a network connection to the attacker's C2 server or a controlled exfiltration point.
  6. The compressed data is transmitted over HTTP, HTTPS, FTP, or FTPS protocols to the external server.
  7. The attacker receives the exfiltrated data on the external server.
  8. The attacker may attempt to remove traces of the exfiltration activity from the compromised system (e.g., deleting temporary files, clearing logs).

Impact

Successful exploitation can lead to the exfiltration of sensitive data, including confidential documents, credentials, or proprietary information. The severity depends on the type and volume of data compromised. Data exfiltration can lead to financial losses, reputational damage, legal repercussions, and loss of competitive advantage. This detection is crucial for organizations that need to protect sensitive data residing on Linux systems, and prevent unauthorized access. The rule is designed to detect suspicious curl usage that deviates from normal system behavior.

Recommendation

  • Deploy the Sigma rule Potential Data Exfiltration Through Curl to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule by examining the process command line, parent process, and network logs.
  • Enable Elastic Defend integration as documented in the rule Setup section to provide the necessary data source.
  • Review and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers as mentioned in the rule's Response and remediation section.

Detection coverage 2

Potential Data Exfiltration Through Curl - Process Creation

medium

Detects the use of curl to upload files to an internet server.

sigma tactics: exfiltration techniques: T1048 sources: process_creation, linux

Potential Data Exfiltration Through Curl - Data Parameter

medium

Detects curl commands using -F, -d, or --data* with file uploads.

sigma tactics: exfiltration techniques: T1048 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →