Detecting Linux Payload Downloaded and Piped to Interpreter
This brief details a common Linux technique where attackers use scripting interpreters to download malicious payloads from external sources and immediately pipe them into another interpreter for execution, often for purposes like persistence or data exfiltration.
This threat describes a stealthy method employed by adversaries on Linux systems to execute arbitrary code. It involves an initial interpreter (such as a shell, Python, Perl, or Node.js) making an outbound network connection to download a malicious payload. Crucially, this payload is not written to disk but is directly piped as input into a second interpreter (often another shell instance, or a scripting language runtime) for immediate execution. This technique helps attackers evade detection by bypassing file-based security controls and minimizing forensic artifacts. While this brief does not detail a specific campaign, the technique is widely used across various threat groups for initial access, backdoor deployment, or data exfiltration.
Attack Chain
This brief focuses on a specific execution technique rather than a multi-stage campaign:
- Initial Compromise (Implied): An attacker gains initial access to a Linux system through various means (e.g., exploitation of a vulnerable service, compromised credentials, or successful phishing).
- Network Connection by Interpreter: A command-line interpreter (e.g.,
bash,python,curl) is executed to initiate an outbound network connection to a malicious command-and-control (C2) server. - Payload Download: The C2 server delivers a malicious script or binary payload over the established network connection.
- In-Memory Piping: Instead of writing the downloaded payload to a file, the output stream from the download utility is immediately piped (
|) into another command-line interpreter. - Interpreter Execution: The second interpreter (e.g.,
sh,bash,python) receives the malicious payload directly as its standard input and executes it in memory. - Malicious Activity: The executed payload then performs its intended malicious function, such as establishing persistence, exfiltrating data, or launching further attacks.
Impact
Successful execution of payloads using this technique can lead to significant compromise of Linux systems. Because the payload is executed in memory without touching disk, it complicates traditional endpoint detection and incident response efforts. Consequences include system backdooring, complete system takeover, deployment of ransomware, data theft, and lateral movement within the network. This method is particularly effective against environments with weak network egress filtering and endpoint visibility into process command lines.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM/EDR and tune for your Linux environment.
- Ensure comprehensive
process_creationlogging is enabled for all Linux endpoints to capture command-line arguments. - Implement robust egress filtering at the network perimeter to restrict outbound connections from internal systems to known malicious IP addresses or unexpected ports and protocols, especially for common interpreter binaries.
- Regularly audit the
command_linearguments of interpreters likebash,sh,python, andperlfor suspicious download and pipe patterns, as detected by the rule above.
Detection coverage 1
Detect Linux Payload Downloaded and Piped to Interpreter
mediumDetects common Linux interpreters executing commands that involve downloading content via curl/wget and piping it directly for execution, a common defense evasion technique.
Detection queries are available on the platform. Get full rules →