LoFP LoFP / developers, administrators, or automation tools may use `curl` or `wget` for legitimate purposes such as software installation, configuration scripts, or ci/cd tasks. security tools or health monitoring scripts may also use these utilities to check service availability or download updates. review the destination `url`, frequency, and process context to validate whether the download activity is authorized.

Techniques

Sample rules

Cisco Secure Firewall - Wget or Curl Download

Description

The following analytic detects outbound connections initiated by command-line tools such as curl or wget. It leverages Cisco Secure Firewall Threat Defense logs and identifies allowed connections (action=Allow) where either the EVE_Process or ClientApplication fields indicate use of these utilities. While curl and wget are legitimate tools commonly used for software updates and scripting, adversaries often abuse them to download payloads, retrieve additional tools, or establish staging infrastructure from compromised systems. If confirmed malicious, this behavior may indicate the download phase of an attack chain or a command-and-control utility retrieval.

Detection logic

`cisco_secure_firewall` EventType=ConnectionEvent action=Allow AND ( EVE_Process IN ("*curl*", "*wget*") OR ClientApplication IN ("cURL", "Wget") )

| stats count min(_time) as firstTime max(_time) as lastTime
    Values(rule) as rule
    Values(url) as url
    Values(dest_port) as dest_port
    Values(ClientApplicationVersion) as ClientApplicationVersion
    Values(src_port) as src_port
    by src_ip, dest, transport, EVE_Process, ClientApplication, action

| table src_ip src_port dest dest_port transport url EVE_Process ClientApplication ClientApplicationVersion rule firstTime lastTime

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)` 

| `cisco_secure_firewall___wget_or_curl_download_filter`