Suspicious File Download From File Sharing Domain Via Wget.EXE
Detects potentially suspicious file downloads from file sharing domains using wget.exe
Sigma rule (View on GitHub)
1title: Suspicious File Download From File Sharing Domain Via Wget.EXE
2id: a0d7e4d2-bede-4141-8896-bc6e237e977c
3related:
4 - id: 8b48ad89-10d8-4382-a546-50588c410f0d
5 type: similar
6 - id: d635249d-86b5-4dad-a8c7-d7272b788586
7 type: similar
8 - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
9 type: similar
10 - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
11 type: similar
12 - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
13 type: similar
14 - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
15 type: similar
16 - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
17 type: similar
18 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
19 type: similar
20 - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
21 type: similar
22 - id: b6e04788-29e1-4557-bb14-77f761848ab8
23 type: similar
24 - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
25 type: similar
26status: test
27description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
28references:
29 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
30 - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
31 - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
32author: Nasreddine Bencherchali (Nextron Systems)
33date: 2023-05-05
34modified: 2026-03-29
35tags:
36 - attack.execution
37logsource:
38 category: process_creation
39 product: windows
40detection:
41 selection_img:
42 - Image|endswith: '\wget.exe'
43 - OriginalFileName: 'wget.exe'
44 selection_websites:
45 CommandLine|contains:
46 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
47 - '0x0.st'
48 - 'anonfiles.com'
49 - 'bashupload.com'
50 - 'cdn.discordapp.com'
51 - 'chunk.io'
52 - 'ddns.net'
53 - 'dl.dropboxusercontent.com'
54 - 'ghostbin.co'
55 - 'github.com'
56 - 'glitch.me'
57 - 'gofile.io'
58 - 'hastebin.com'
59 - 'mediafire.com'
60 - 'mega.nz'
61 - 'onrender.com'
62 - 'pages.dev'
63 - 'paste.ee'
64 - 'pastebin.com'
65 - 'pastebin.pl'
66 - 'pastetext.net'
67 - 'pixeldrain.com'
68 - 'privatlab.com'
69 - 'privatlab.net'
70 - 'send.exploit.in'
71 - 'sendspace.com'
72 - 'storage.googleapis.com'
73 - 'storjshare.io'
74 - 'supabase.co'
75 - 'temp.sh'
76 - 'transfer.sh'
77 - 'trycloudflare.com'
78 - 'ufile.io'
79 - 'w3spaces.com'
80 - 'workers.dev'
81 - 'x0.at'
82 selection_http:
83 CommandLine|contains: 'http'
84 selection_flag:
85 - CommandLine|re: '\s-O\s'
86 - CommandLine|contains: '--output-document'
87 selection_ext:
88 CommandLine|endswith:
89 - '.ps1'
90 - ".ps1'"
91 - '.ps1"'
92 - '.dat'
93 - ".dat'"
94 - '.dat"'
95 - '.msi'
96 - ".msi'"
97 - '.msi"'
98 - '.bat'
99 - ".bat'"
100 - '.bat"'
101 - '.exe'
102 - ".exe'"
103 - '.exe"'
104 - '.vbs'
105 - ".vbs'"
106 - '.vbs"'
107 - '.vbe'
108 - ".vbe'"
109 - '.vbe"'
110 - '.hta'
111 - ".hta'"
112 - '.hta"'
113 - '.dll'
114 - ".dll'"
115 - '.dll"'
116 - '.psm1'
117 - ".psm1'"
118 - '.psm1"'
119 condition: all of selection_*
120falsepositives:
121 - Unknown
122level: high
References
Related rules
- BITS Transfer Job Download From File Sharing Domains
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- Registry Enumeration via WMI Stdregprov