← Back to Explore
sigmahighHunting
Curl File Upload To File Sharing Websites
Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.
Detection Query
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
selection_cli_domain:
CommandLine|contains:
- 0x0.st
- bashupload.com
- chunk.io
- file.io
- filebin.net
- pastebin
- send.firefox.com
- temp.sh
- transfer.sh
- ufile.io
- uploadfiles.io
- wetransfer.com
- x0.at
selection_cli_flags:
- CommandLine|contains:
- " --form"
- " --upload-file"
- " --data"
- " -X POST"
- " --request POST "
- CommandLine|re:
- \s-[FTd]\s
- \s-sT\s
condition: all of selection_*
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2026-03-29
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.exfiltrationattack.t1567.002
Raw Content
title: Curl File Upload To File Sharing Websites
id: e328cc73-f92a-42fb-b3fa-7c2cffda981a
related:
- id: 00bca14a-df4e-4649-9054-3f2aa676bc04
type: derived
- id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
type: similar
status: experimental
description: Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.
author: Swachchhanda Shrawan Poudel (Nextron Systems)
references:
- https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
date: 2026-03-29
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli_domain:
CommandLine|contains:
- '0x0.st'
- 'bashupload.com'
- 'chunk.io'
- 'file.io'
- 'filebin.net'
- 'pastebin'
- 'send.firefox.com'
- 'temp.sh'
- 'transfer.sh'
- 'ufile.io'
- 'uploadfiles.io'
- 'wetransfer.com'
- 'x0.at'
selection_cli_flags:
- CommandLine|contains:
- ' --form'
- ' --upload-file'
- ' --data'
- ' -X POST'
- ' --request POST '
- CommandLine|re:
- '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
- '\s-sT\s'
condition: all of selection_*
falsepositives:
- Legitimate file uploads to these services by administrators or developers
level: high