Detection rules › Splunk
Exfiltration via curl.exe - Windows (PowerShell)
Threat actors may abuse curl.exe on Windows systems to exfiltrate data or upload files to remote servers using command-line options like -d, -T, --form, or --upload-file. These flags are commonly used for HTTP POST requests, enabling attackers to transmit files or sensitive information during post-compromise activity. This use case detects process creation events where curl.exe is used with data or file upload arguments, potentially indicating data exfiltration, C2 communication, or malicious use of legitimate tools.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1048 Exfiltration Over Alternative Protocol |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '45179.90471'
title: Exfiltration via curl.exe - Windows
description: Threat actors may abuse curl.exe on Windows systems to exfiltrate data
or upload files to remote servers using command-line options like -d, -T, --form,
or --upload-file. These flags are commonly used for HTTP POST requests, enabling
attackers to transmit files or sensitive information during post-compromise activity.
This use case detects process creation events where curl.exe is used with data or
file upload arguments, potentially indicating data exfiltration, C2 communication,
or malicious use of legitimate tools.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") TERM(curl) ("-d" OR
"-T" OR "-F" OR " --form" OR "--upload-file " OR "--data " OR "--data-") | where
match(process, "(?i)curl") and (match(process, "\s-[dTF]\s") or match(process, "(?i)\s--(form|upload-file|data)\s|\s--data-"))
| table _time, host, user, process, process_path, process_name, parent_process_name,
user | bin span=1s | stats values(*) as * by _time, host '
techniques:
- exfiltration:exfiltration over alternative protocol
technique_id:
- T1048
data_category:
- PowerShell logs
references:
- https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml
- https://x.com/d1r4c/status/1279042657508081664
- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
- https://curl.se/docs/manpage.html
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") TERM(curl) ("-d" OR "-T" OR "-F" OR " --form" OR "--upload-file " OR "--data " OR "--data-")
Stage 2: where
| where match(process, "(?i)curl") and (match(process, "\s-[dTF]\s") or match(process, "(?i)\s--(form|upload-file|data)\s|\s--data-"))
Stage 3: table
| table _time, host, user, process, process_path, process_name, parent_process_name, user
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | TERM |
| 1 | curl |
| 1 | "-d" |
| 1 | "-T" |
| 1 | "-F" |
| 1 | " --form" |
| 1 | "--upload-file " |
| 1 | "--data " |
| 1 | "--data-" |