From e08833566d1547cf334baee9520c5819fe40bcaf Mon Sep 17 00:00:00 2001
From: LeamanB <115671278+LeamanB@users.noreply.github.com>
Date: Fri, 10 Oct 2025 20:23:08 -0500
Subject: [PATCH] Create suspicious_curl.yaml

Signed-off-by: LeamanB <115671278+LeamanB@users.noreply.github.com>
---
 rules/sandbox/leamanb/suspicious_curl.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/sandbox/leamanb/suspicious_curl.yaml

diff --git a/rules/sandbox/leamanb/suspicious_curl.yaml b/rules/sandbox/leamanb/suspicious_curl.yaml
new file mode 100644
index 00000000..69bae2fd
--- /dev/null
+++ b/rules/sandbox/leamanb/suspicious_curl.yaml
@@ -0,0 +1,21 @@
+maturity: sandbox
+title: Suspicious cURL with POST or Data Upload
+id: suspicious_curl_post_upload
+version: 1.0.0
+status: experimental
+description: Detects cURL usage with POST or --data, which may indicate data exfiltration or command-and-control activity.
+author: Leaman Brown
+date: 2025-10-10
+references:
+  - https://falco.org/docs/rules/
+  - https://curl.se/docs/manpage.html
+tags:
+  - network
+  - exfiltration
+  - curl
+  - linux
+condition: evt.type = execve and proc.name = "curl" and (proc.args contains "POST" or proc.args contains "--data" or proc.args contains "--upload-file")
+output: >
+  Suspicious cURL command detected (user=%user.name, command=%proc.cmdline)
+priority: WARNING
+source: syscalls