Detectionmediumtest

Data Exfiltration with Wget

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Pawel MazurCreated Thu Nov 18Updated Sun Dec 25cb39d16b-b3b6-4a7a-8222-1cf24b686ffclinux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: EXECVE
        a0: wget
        a1|startswith: '--post-file='
    condition: selection

False Positives

Legitimate usage of wget utility to post a file

References

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Sub-techniques

T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol

Rule Metadata

Rule ID

cb39d16b-b3b6-4a7a-8222-1cf24b686ffc

Status

test

Level

medium

Type

Detection

Created

Thu Nov 18

Modified

Sun Dec 25

Author

Pawel Mazur

Path

rules/linux/auditd/execve/lnx_auditd_data_exfil_wget.yml

Raw Tags

attack.exfiltrationattack.t1048.003

View on GitHub