Interactive File Download in Linux Containers via Curl/Wget Detected
An Elastic Defend for Containers rule detects interactive sessions within Linux containers where `curl` or `wget` are used to download files from the internet, indicating potential adversary command and control or execution activity as threat actors often use such methods to stage payloads, tools, or data for subsequent malicious actions within compromised containerized environments.
This threat brief details a detection rule from Elastic aimed at identifying malicious file downloads within Linux containers. The rule, released on February 6, 2026, and updated on June 30, 2026, focuses on interactive sessions where curl or wget command-line tools are used to retrieve files from external sources. Threat actors frequently leverage these tools for ingress tool transfer (MITRE ATT&CK T1105), allowing them to stage additional payloads, tools, or data for subsequent execution and establishing application-layer command and control without embedding artifacts directly into container images. This behavior is crucial for defenders to monitor as it often signals a compromised container, unauthorized access, or preparation for further malicious activity, such as exfiltration or lateral movement within the Kubernetes cluster.
Impact
If this activity goes undetected, attackers can download and execute arbitrary code, tools, or malware within a compromised container, potentially leading to unauthorized access to sensitive data, establishing persistent command and control channels, or facilitating lateral movement across the containerized environment and underlying infrastructure. The execution of such downloaded payloads could result in data exfiltration, system compromise, resource abuse, or further stages of a multi-pronged attack. The lack of specific victim counts or targeted sectors in the source indicates a general threat applicable to any organization utilizing Linux containers.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect
curlorwgetfile downloads in containers. - Attribute the interactive session to an initiator by correlating container
exec/attachevents with Kubernetes audit logs or Docker daemon logs to identify the user, source IP, and access path. - Inspect the created file’s full path, size, format, and hash, then retrieve it from the container or node filesystem for static analysis and malware scanning.
- Pivot on the download destination (domain/IP/URL path) to review outbound connection telemetry, DNS/TLS indicators, and threat reputation, blocking suspicious endpoints at the egress.
- Review subsequent container activity after the download for follow-on actions such as
chmod, interpreter execution, new processes, cron modifications, credential access, or lateral movement attempts. - Harden your environment by removing
exec/attachpermissions from non-admin roles and enforcing runtime policies that block interactivecurl/wgetand restrict outbound traffic to approved destinations.
Detection coverage 1
Detect Interactive Container File Download via Curl or Wget
mediumDetects interactive sessions within Linux containers that execute curl or wget with options to save output, indicating potential ingress tool transfer or C2 communication.
Detection queries are available on the platform. Get full rules →