Detectionmediumtest
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
Image|endswith: '/wget'
selection_output:
- CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
- CommandLine|contains: '--output-document'
selection_path:
CommandLine|contains: '/tmp/'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
Status
test
Level
medium
Type
Detection
Created
Fri Jun 02
Author
Path
rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml
Raw Tags
attack.command-and-controlattack.t1105