Suspicious Download and Execute Pattern via Curl/Wget

calendar Jun 25, 2025 · attack.execution attack.t1059.004 attack.t1203  ·
Share on: linkedin copy

Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.

Sigma rule (View on GitHub)

 1title: Suspicious Download and Execute Pattern via Curl/Wget
 2id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
 3status: experimental
 4description: |
 5    Detects suspicious use of command-line tools such as curl or wget to download remote
 6    content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
 7    immediate execution, indicating potential malicious activity. This pattern is commonly used
 8    by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.    
 9references:
10    - https://gtfobins.github.io/gtfobins/wget/
11    - https://gtfobins.github.io/gtfobins/curl/
12author: Aayush Gupta
13date: 2025-06-17
14tags:
15    - attack.execution
16    - attack.t1059.004
17    - attack.t1203
18logsource:
19    category: process_creation
20    product: linux
21detection:
22    selection_downloader:
23        CommandLine|contains:
24            - '/curl'
25            - '/wget'
26    selection_tmp:
27        CommandLine|contains:
28            - '/tmp/'
29            - '/dev/shm/'
30    selection_executor:
31        CommandLine|contains: 'sh -c'
32    condition: all of selection_*
33falsepositives:
34    - System update scripts using temporary files
35    - Installer scripts or automated provisioning tools
36level: high

References

  • wget | GTFOBins

    .. / wget Shell File upload File download File write File read SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. TF=$(mktemp) chmod +...


    Read More

  • curl | GTFOBins

    .. / curl File upload File download File write File read SUID Sudo File upload It can exfiltrate files on the network. Send local file with an HTTP POST request. Run an HTTP service on the attacker...


    Read More

Related rules

to-top