Curl Creating Files in Tmp Directory

Rule Info

Name
Curl Creating Files in Tmp Directory
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects curl activity downloading files into temporary directories (/tmp or /var/tmp). This technique is commonly used by threat actors to download malicious payloads, exploiting the universal write permissions of temporary directories.
Reference
https://redcanary.com/blog/threat-intelligence/cve-2025-31324/
Date
2025-05-06 00:00:00
Modified
None
Id
a2dbd9cc-03c1-4d4e-9fc7-d2a70ebfcd51
Tags
attack.command-and-control attack.t1105
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022