UNC4841 - Download Tar File From Untrusted Direct IP Via Wget

 1title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
 2id: 23835beb-ec38-4e74-a5d4-b99af6684e91
 3status: test
 4description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/06/16
 9tags:
10    - attack.defense_evasion
11    - attack.t1140
12    - detection.emerging_threats
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: '/wget'
19        CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20        CommandLine|contains: '--no-check-certificate'
21        CommandLine|endswith: '.tar'
22    filter_main_local_ips:
23        # Note: Uncomment this filter if you want to exclude local IPs
24        CommandLine|contains:
25            - 'https://10.' # 10.0.0.0/8
26            - 'https://192.168.' # 192.168.0.0/16
27            - 'https://172.16.' # 172.16.0.0/12
28            - 'https://172.17.'
29            - 'https://172.18.'
30            - 'https://172.19.'
31            - 'https://172.20.'
32            - 'https://172.21.'
33            - 'https://172.22.'
34            - 'https://172.23.'
35            - 'https://172.24.'
36            - 'https://172.25.'
37            - 'https://172.26.'
38            - 'https://172.27.'
39            - 'https://172.28.'
40            - 'https://172.29.'
41            - 'https://172.30.'
42            - 'https://172.31.'
43            - 'https://127.' # 127.0.0.0/8
44            - 'https://169.254.' # 169.254.0.0/16
45    condition: selection and not 1 of filter_main_*
46falsepositives:
47    - Unknown
48level: high