Rule Info
Name
Suspicious Download and Execute Pattern via Curl/Wget
Author
Aayush Gupta
Description
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
Date
2025-06-17 00:00:00
Modified
None
Id
a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
Tags
attack.execution attack.t1059.004 attack.t1203
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
hashdr1ft
Merge PR #5489 from @hashdr1ft - Suspicious Download and Execute Pattern via Curl/Wget
2025-06-25
Scan your endpoints, forensic images or collected files with our portable scanner THOR