Adversaries may use curl or wget to download and execute malicious scripts in temporary directories to evade detection and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command-and-control communication or initial compromise vectors.
Detection Rule
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
imProcessCreate
| where (TargetProcessCommandLine contains "/curl" or TargetProcessCommandLine contains "/wget") and (TargetProcessCommandLine contains "/tmp/" or TargetProcessCommandLine contains "/dev/shm/") and TargetProcessCommandLine contains "sh -c"Scenario: System Update via Curl
Description: A system administrator uses curl to download a signed update package from a trusted internal repository and places it in /tmp for verification before installation.
Filter/Exclusion: Check for presence of a valid digital signature or verify the source against a known internal update server.
Scenario: Scheduled Job for Log Collection
Description: A cron job uses wget to fetch log files from a central logging server into /tmp for processing by a log aggregation tool.
Filter/Exclusion: Filter by the presence of a known log collection script or check for the presence of a log processing tool in the same process tree.
Scenario: Temporary File Creation for Script Testing
Description: A developer uses curl to download a test script from a local development server into /tmp to run it in a sandboxed environment.
Filter/Exclusion: Check for the presence of a development tool or environment (e.g., docker, vagrant, or tmpfs) in the process context.
Scenario: Admin Task for Configuration Sync
Description: An admin uses wget to synchronize configuration files from a central configuration management server into /tmp for deployment via a configuration management tool like Ansible or Puppet.
Filter/Exclusion: Check for the presence of a configuration management tool or verify the source against a known internal configuration server.
Scenario: Secure File Transfer via Curl
Description: A security team uses curl with HTTPS to download a trusted security patch from a vendor into /tmp for manual verification before applying it.
Filter/Exclusion: Check for the presence of a security tool or verify the file hash against a known good checksum.