Adversaries may use curl to exfiltrate data by uploading files to a remote server, leveraging T1567 and T1105 techniques to establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration and early-stage C2 activity.
Detection Rule
title: Suspicious Curl File Upload - Linux
id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
related:
- id: 00bca14a-df4e-4649-9054-3f2aa676bc04
type: derived
status: test
description: Detects a suspicious curl process start the adds a file to a web request
references:
- https://twitter.com/d1r4c/status/1279042657508081664
- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
- https://curl.se/docs/manpage.html
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
date: 2022-09-15
modified: 2023-05-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/curl'
selection_cli:
- CommandLine|contains:
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
filter_optional_localhost:
CommandLine|contains:
- '://localhost'
- '://127.0.0.1'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Scripts created by developers and admins
level: medium
imProcessCreate
| where (TargetProcessName endswith "/curl" and ((TargetProcessCommandLine contains " --form" or TargetProcessCommandLine contains " --upload-file " or TargetProcessCommandLine contains " --data " or TargetProcessCommandLine contains " --data-") or TargetProcessCommandLine matches regex "\\s-[FTd]\\s")) and (not((TargetProcessCommandLine contains "://localhost" or TargetProcessCommandLine contains "://127.0.0.1")))Scenario: Scheduled backup job using curl to upload logs to a central server
Filter/Exclusion: Check the command line arguments for known backup tools (e.g., logrotate, rsyslog, or backup.sh) and exclude uploads to internal log aggregation endpoints (e.g., https://logserver.example.com/upload).
Scenario: Admin using curl to manually test a file upload endpoint during development
Filter/Exclusion: Exclude processes initiated by admin users (e.g., root, admin, or users in the sudo group) and filter by known development environments (e.g., localhost, 127.0.0.1, or internal staging URLs).
Scenario: CI/CD pipeline using curl to upload artifacts to a private registry
Filter/Exclusion: Exclude processes associated with CI/CD tools (e.g., Jenkins, GitLab CI, GitHub Actions) and filter by known private registry endpoints (e.g., https://registry.example.com/v2/).
Scenario: System update using curl to fetch a file from an internal repository
Filter/Exclusion: Exclude processes initiated by system update tools (e.g., yum, apt, dnf) and filter by internal update servers (e.g., http://internal-repo.example.com/update/).
Scenario: User uploading a file via a web interface using curl as part of a legitimate workflow
Filter/Exclusion: Exclude processes where the file path matches known user-uploaded directories (e.g., /var/www/uploads/) and filter by user-specific credentials or session tokens.