system update scripts using temporary files

t1059
t1059.004
t1203
linux
sigma

Techniques

t1059
t1059.004
t1203

Sample rules

Suspicious Download and Execute Pattern via Curl/Wget

source: sigma
technicques:
- t1059
- t1059.004
- t1203

Description

Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.

Detection logic

condition: all of selection_*
selection_downloader:
  CommandLine|contains:
  - /curl
  - /wget
selection_executor:
  CommandLine|contains: sh -c
selection_tmp:
  CommandLine|contains:
  - /tmp/
  - /dev/shm/