{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/curl/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["curl","Linux"],"_cs_severities":["medium"],"_cs_tags":["data-exfiltration","curl","linux"],"_cs_type":"advisory","_cs_vendors":["curl"],"content_html":"\u003cp\u003eThe rule \u0026quot;Potential Data Exfiltration Through Curl\u0026quot; detects the use of the \u003ccode\u003ecurl\u003c/code\u003e command-line tool on Linux systems to upload files to external servers. Threat actors often use tools like \u003ccode\u003ecurl\u003c/code\u003e to exfiltrate collected data to their command and control (C2) server. While \u003ccode\u003ecurl\u003c/code\u003e has legitimate uses, its use for uploading data to external servers is considered abnormal and suspicious. This activity is monitored by analyzing process execution events for specific command-line arguments and patterns associated with data uploads. The rule focuses on Linux systems and triggers on \u003ccode\u003ecurl\u003c/code\u003e commands using arguments such as \u003ccode\u003e-T\u003c/code\u003e, \u003ccode\u003e--upload-file\u003c/code\u003e, \u003ccode\u003e-F\u003c/code\u003e, \u003ccode\u003e-d\u003c/code\u003e, or \u003ccode\u003e--data*\u003c/code\u003e when used in conjunction with file uploads to external network destinations. The rule was last updated on March 13, 2026 and leverages data from Elastic Defend, Crowdstrike, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system (e.g., via SSH or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker collects sensitive data from the compromised system (e.g., configuration files, databases, logs).\u003c/li\u003e\n\u003cli\u003eThe attacker compresses the collected data into an archive (e.g., using \u003ccode\u003etar\u003c/code\u003e, \u003ccode\u003egzip\u003c/code\u003e, or \u003ccode\u003ezip\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003ecurl\u003c/code\u003e command to upload the compressed archive to an external server. The command includes arguments such as \u003ccode\u003e-T\u003c/code\u003e or \u003ccode\u003e--upload-file\u003c/code\u003e to specify the file to upload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecurl\u003c/code\u003e command establishes a network connection to the attacker's C2 server or a controlled exfiltration point.\u003c/li\u003e\n\u003cli\u003eThe compressed data is transmitted over HTTP, HTTPS, FTP, or FTPS protocols to the external server.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data on the external server.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to remove traces of the exfiltration activity from the compromised system (e.g., deleting temporary files, clearing logs).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive data, including confidential documents, credentials, or proprietary information. The severity depends on the type and volume of data compromised. Data exfiltration can lead to financial losses, reputational damage, legal repercussions, and loss of competitive advantage. This detection is crucial for organizations that need to protect sensitive data residing on Linux systems, and prevent unauthorized access. The rule is designed to detect suspicious \u003ccode\u003ecurl\u003c/code\u003e usage that deviates from normal system behavior.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Data Exfiltration Through Curl\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process command line, parent process, and network logs.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration as documented in the rule \u003ccode\u003eSetup\u003c/code\u003e section to provide the necessary data source.\u003c/li\u003e\n\u003cli\u003eReview and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers as mentioned in the rule's \u003ccode\u003eResponse and remediation\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-potential-curl-data-exfiltration/","summary":"This rule detects potential data exfiltration attempts on Linux systems using the curl command-line tool to upload files to external servers, potentially indicating unauthorized data transfer.","title":"Potential Data Exfiltration Through Curl","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-curl-data-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Curl","version":"https://jsonfeed.org/version/1.1"}