EXPLORE
← Back to Explore
sigmahighHunting

Curl File Upload To File Sharing Websites

Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.

MITRE ATT&CK

exfiltration

Detection Query

selection_img:
  - Image|endswith: \curl.exe
  - OriginalFileName: curl.exe
selection_cli_domain:
  CommandLine|contains:
    - 0x0.st
    - bashupload.com
    - chunk.io
    - file.io
    - filebin.net
    - pastebin
    - send.firefox.com
    - temp.sh
    - transfer.sh
    - ufile.io
    - uploadfiles.io
    - wetransfer.com
    - x0.at
selection_cli_flags:
  - CommandLine|contains:
      - " --form"
      - " --upload-file"
      - " --data"
      - " -X POST"
      - " --request POST "
  - CommandLine|re:
      - \s-[FTd]\s
      - \s-sT\s
condition: all of selection_*

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2026-03-29

Data Sources

windowsProcess Creation Events

Platforms

windows

Tags

attack.exfiltrationattack.t1567.002
Raw Content
title: Curl File Upload To File Sharing Websites
id: e328cc73-f92a-42fb-b3fa-7c2cffda981a
related:
    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
      type: derived
    - id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
      type: similar
status: experimental
description: Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.
author: Swachchhanda Shrawan Poudel (Nextron Systems)
references:
    - https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
date: 2026-03-29
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_cli_domain:
        CommandLine|contains:
            - '0x0.st'
            - 'bashupload.com'
            - 'chunk.io'
            - 'file.io'
            - 'filebin.net'
            - 'pastebin'
            - 'send.firefox.com'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
            - 'uploadfiles.io'
            - 'wetransfer.com'
            - 'x0.at'
    selection_cli_flags:
        - CommandLine|contains:
              - ' --form'
              - ' --upload-file'
              - ' --data'
              - ' -X POST'
              - ' --request POST '
        - CommandLine|re:
              - '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
              - '\s-sT\s'
    condition: all of selection_*
falsepositives:
    - Legitimate file uploads to these services by administrators or developers
level: high