LoFP / base images, entrypoints, or init wrappers may legitimately invoke curl or wget during container startup (package installs, health checks); baseline trusted images and exclude stable image digests or namespaces when noisy.

Techniques

• T1105

Sample rules

Curl or Wget Execution from Container Context

• source: elastic
• technicques:
  • T1105

Description

Detects execution of curl or wget from processes whose title aligns with runc init, a common fingerprint for workloads running inside OCI/runc-backed containers on Linux hosts instrumented with Auditd Manager. After breaking out of an application container or abusing a privileged workload, attackers often pull ingress tooling (stagers, scripts, implants) or stage exfiltration with minimal HTTP clients. Those utilities are also used benignly in images, so context matters; the runc init anchor narrows the signal to the container runtime boundary where unexpected download clients are more worthy of review than the same binaries on a bare-metal admin shell.

Detection logic

host.os.type:linux and 
data_stream.dataset:"auditd_manager.auditd" and
event.action:("executed" or "exec") and
process.title:"runc init" and
(
  process.name:(curl or wget) or
  process.args:(* curl* or */bin/curl* or *wget*)
)