Data Exfiltration via Curl to Messaging Platforms

Rule Info

Name
Data Exfiltration via Curl to Messaging Platforms
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects curl commands with POST data targeting messaging platforms such as Discord, Signal, and others which may indicate data exfiltration. Threat actors have been observed using curl to exfiltrate data to these messaging platforms after compromising systems.
Reference
https://www.trellix.com/en-ca/blogs/research/discord-i-want-to-play-a-game/
Date
2025-12-23 00:00:00
Modified
None
Id
1aa3c4e0-debf-48c1-a4de-27bb848a75a6
Tags
attack.exfiltration attack.t1041
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022