Suspicious File Download From File Sharing Domain Via Wget.EXE

Detects potentially suspicious file downloads from file sharing domains using wget.exe

Sigma rule (View on GitHub)

  1title: Suspicious File Download From File Sharing Domain Via Wget.EXE
  2id: a0d7e4d2-bede-4141-8896-bc6e237e977c
  3related:
  4    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
  5      type: similar
  6    - id: d635249d-86b5-4dad-a8c7-d7272b788586
  7      type: similar
  8    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
  9      type: similar
 10    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
 11      type: similar
 12    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
 13      type: similar
 14    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 15      type: similar
 16    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
 17      type: similar
 18    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
 19      type: similar
 20    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
 21      type: similar
 22    - id: b6e04788-29e1-4557-bb14-77f761848ab8
 23      type: similar
 24    - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
 25      type: similar
 26status: test
 27description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
 28references:
 29    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 30    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 31    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 32author: Nasreddine Bencherchali (Nextron Systems)
 33date: 2023-05-05
 34modified: 2026-03-29
 35tags:
 36    - attack.execution
 37logsource:
 38    category: process_creation
 39    product: windows
 40detection:
 41    selection_img:
 42        - Image|endswith: '\wget.exe'
 43        - OriginalFileName: 'wget.exe'
 44    selection_websites:
 45        CommandLine|contains:
 46            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
 47            - '0x0.st'
 48            - 'anonfiles.com'
 49            - 'bashupload.com'
 50            - 'cdn.discordapp.com'
 51            - 'chunk.io'
 52            - 'ddns.net'
 53            - 'dl.dropboxusercontent.com'
 54            - 'ghostbin.co'
 55            - 'github.com'
 56            - 'glitch.me'
 57            - 'gofile.io'
 58            - 'hastebin.com'
 59            - 'mediafire.com'
 60            - 'mega.nz'
 61            - 'onrender.com'
 62            - 'pages.dev'
 63            - 'paste.ee'
 64            - 'pastebin.com'
 65            - 'pastebin.pl'
 66            - 'pastetext.net'
 67            - 'pixeldrain.com'
 68            - 'privatlab.com'
 69            - 'privatlab.net'
 70            - 'send.exploit.in'
 71            - 'sendspace.com'
 72            - 'storage.googleapis.com'
 73            - 'storjshare.io'
 74            - 'supabase.co'
 75            - 'temp.sh'
 76            - 'transfer.sh'
 77            - 'trycloudflare.com'
 78            - 'ufile.io'
 79            - 'w3spaces.com'
 80            - 'workers.dev'
 81            - 'x0.at'
 82    selection_http:
 83        CommandLine|contains: 'http'
 84    selection_flag:
 85        - CommandLine|re: '\s-O\s'
 86        - CommandLine|contains: '--output-document'
 87    selection_ext:
 88        CommandLine|endswith:
 89            - '.ps1'
 90            - ".ps1'"
 91            - '.ps1"'
 92            - '.dat'
 93            - ".dat'"
 94            - '.dat"'
 95            - '.msi'
 96            - ".msi'"
 97            - '.msi"'
 98            - '.bat'
 99            - ".bat'"
100            - '.bat"'
101            - '.exe'
102            - ".exe'"
103            - '.exe"'
104            - '.vbs'
105            - ".vbs'"
106            - '.vbs"'
107            - '.vbe'
108            - ".vbe'"
109            - '.vbe"'
110            - '.hta'
111            - ".hta'"
112            - '.hta"'
113            - '.dll'
114            - ".dll'"
115            - '.dll"'
116            - '.psm1'
117            - ".psm1'"
118            - '.psm1"'
119    condition: all of selection_*
120falsepositives:
121    - Unknown
122level: high

References

Related rules

to-top