UNC4841 - Download Compressed Files From Temp.sh Using Wget
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
Sigma rule (View on GitHub)
1title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
2id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
3status: test
4description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
5references:
6 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-06-16
9tags:
10 - attack.defense-evasion
11 - attack.t1140
12 - detection.emerging-threats
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/wget'
19 CommandLine|contains: 'https://temp.sh/'
20 CommandLine|endswith:
21 - '.rar'
22 - '.zip'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Potential BlackByte Ransomware Activity
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
- UNC4841 - SSL Certificate Exfiltration Via Openssl
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity