curl
Transfer data to or from a server. Commonly used for downloading payloads, exfiltration, and C2 communication.
Binary Paths
/usr/bin/curl/bin/curl
Glob Patterns
| Pattern | Notes |
|---|---|
cur?
|
Single wildcard replaces 'l' |
c*l
|
Star matches 'ur' |
cu[r]l
|
Character class around 'r' |
c?r?
|
Two wildcards replace 'u' and 'l' |
/usr/bin/cur?
|
Full path, wildcard on last char |
/???/bin/curl
|
Obfuscate /usr/ prefix |
/usr/*/cur?
|
Combined wildcards on directory and command |
cur[l]
|
Bracket class on final char |
c[u]rl
|
Bracket class on second char |
/???/???/c*
|
Full path obfuscation with mixed wildcards |
for p in /usr/{bin,sbin}/curl; do "$p" && break; done
|
Brace expansion in for loop — tries both path alternatives |
$(ls /usr/bin/cur?)
|
ls resolves the glob to full path; command substitution executes the result |
$'\x63\x75\x72\x6c'
|
ANSI-C hex escapes expand to the string 'curl' before execution |
Pattern Tester
$
Try typing curl or a full path like /usr/bin/curl
YARA Rule
Auto-generated detection rule for curl