Detectionmediumtest

Wget Creating Files in Tmp Directory

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Joseliyo SanchezCreated Fri Jun 0235a05c60-9012-49b6-a11f-6bab741c9f74linux

Log Source

LinuxFile Event

ProductLinux← raw: linux

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '/wget'
        TargetFilename|startswith:
            - '/tmp/'
            - '/var/tmp/'
    condition: selection

False Positives

Legitimate downloads of files in the tmp folder.

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Techniques

T1105 · Ingress Tool Transfer

Rule Metadata

Rule ID

35a05c60-9012-49b6-a11f-6bab741c9f74

Status

test

Level

medium

Type

Detection

Created

Fri Jun 02

Author

Joseliyo Sanchez

Path

rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml

Raw Tags

attack.command-and-controlattack.t1105

View on GitHub