heroui logo

Payload Downloaded by Interpreter and Piped to Interpreter

Elastic Detection Rules

View Source
Summary
This rule detects a technique where a payload is downloaded by an interpreter and piped into the same interpreter for execution, a common method attackers use to fetch and run code. Targeting Linux endpoints, it looks for a tight sequence (max span of 1 second) between a network connection initiated by a known interpreter process (e.g., bash, sh, python, perl, node, ruby, etc.) and a subsequent process start where the interpreter executes with a single argument that suggests a downloaded payload being fed to the interpreter. The rule uses a curated list of interpreter names, checks that the executable or command line contains the payload content, and requires exactly one argument to indicate a piping/download scenario. It also excludes certain local or non-routable destinations. MITRE ATT&CK mappings include Execution (T1059, Unix Shell subtechnique T1059.004), Defense Evasion, and a potential link to Application Layer Protocol/Command and Control (T1071) in the context of downloaded payloads. The rule is designed to work with Elastic Defend data integrated via Fleet on Linux endpoints and with the Elastic Security app setup as documented.
Categories
  • Endpoint
  • Network
Data Sources
  • Network Traffic
  • Process
ATT&CK Techniques
  • T1059
  • T1059.004
  • T1071
Created: 2026-07-02