Suspicious Download and Piping to Interpreters Pattern

Rule Info

Name
Suspicious Download and Piping to Interpreters Pattern
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the usage of download utilities like curl or wget followed by piping the downloaded content directly into an interpreter such as Node.js, Python, Bash, PowerShell, Perl, or Ruby. This pattern is often used by attackers to download and execute malicious scripts or payloads directly in memory, bypassing traditional file-based detection mechanisms. Review thee process lineage for context to determine if the activity is legitimate or malicious.
Reference
https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
Date
2026-04-02 00:00:00
Modified
None
Id
3a6d8c5e-9f2b-4c1d-a7e3-5b8f0d2c4e6a
Tags
attack.execution attack.t1059 attack.command-and-control attack.t1105
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022