Suspicious File Download From IP Via Wget.EXE - Paths
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
Sigma rule (View on GitHub)
1title: Suspicious File Download From IP Via Wget.EXE - Paths
2id: 40aa399c-7b02-4715-8e5f-73572b493f33
3status: experimental
4description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
5references:
6 - https://www.gnu.org/software/wget/manual/wget.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2024/02/23
9tags:
10 - attack.execution
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection_img:
16 - Image|endswith: '\wget.exe'
17 - OriginalFileName: 'wget.exe'
18 selection_ip:
19 CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20 selection_http:
21 CommandLine|contains: 'http'
22 selection_flag:
23 - CommandLine|re: '\s-O\s'
24 - CommandLine|contains: '--output-document'
25 selection_paths:
26 - CommandLine|contains:
27 - ':\PerfLogs\'
28 - ':\Temp\'
29 - ':\Users\Public\'
30 - ':\Windows\Help\'
31 - ':\Windows\Temp\'
32 - '\Temporary Internet'
33 - CommandLine|contains|all:
34 - ':\Users\'
35 - '\Favorites\'
36 - CommandLine|contains|all:
37 - ':\Users\'
38 - '\Favourites\'
39 - CommandLine|contains|all:
40 - ':\Users\'
41 - '\Contacts\'
42 - CommandLine|contains|all:
43 - ':\Users\'
44 - '\Pictures\'
45 condition: all of selection_*
46falsepositives:
47 - Unknown
48level: high
References
Related rules
- Suspicious File Download From IP Via Wget.EXE
- Suspicious PowerShell IEX Execution Patterns
- Weak or Abused Passwords In CLI
- AteraAgent malicious installations
- Custom Cobalt Strike Command Execution