Sigma Rules
86 rules found for "attack.T1105"
Remote File Copy
Detects the use of tools that copy files from or to remote systems
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
Suspicious Deno File Written from Remote Source
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
Suspicious Non-Browser Network Communication With Telegram API
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Network Connection Initiated By IMEWDBLD.EXE
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Potential COM Objects Download Cradles Usage - PS Script
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
File With Suspicious Extension Downloaded Via Bitsadmin
Detects usage of bitsadmin downloading a file with a suspicious extension
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
Browser Execution In Headless Mode
Detects execution of Chromium based browser in headless mode
File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
File Download From Browser Process Via Inline URL
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
File Download via CertOC.EXE
Detects when a user downloads a file by using CertOC.exe
File Download From IP Based URL Via CertOC.EXE
Detects when a user downloads a file from an IP based URL using CertOC.exe
Suspicious CertReq Command to Download
Detects a suspicious CertReq execution downloading a file. This behavior is often used by attackers to download additional payloads or configuration files. Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.
Suspicious Download Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files.
Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Command Line Execution with Suspicious URL and AppData Strings
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Potential Download/Upload Activity Using Type Command
Detects usage of the "type" command to download/upload data from WebDAV server
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
Remote File Download Via Desktopimgdownldr Utility
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.