Adding New Linux Auditd rule - Data Exfil with Wget
This commit is contained in:
Pawel Mazur
@@ -0,0 +1,25 @@
|
||||
title: Data Exfiltration with Wget
|
||||
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
|
||||
description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
|
||||
author: 'Pawel Mazur'
|
||||
status: experimental
|
||||
date: 2021/11/18
|
||||
references:
|
||||
- https://attack.mitre.org/tactics/TA0010/
|
||||
- https://linux.die.net/man/1/wget
|
||||
- https://gtfobins.github.io/gtfobins/wget/
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
detection:
|
||||
wget:
|
||||
type: EXECVE
|
||||
a0: wget
|
||||
a1|startswith: '--post-file='
|
||||
condition: wget
|
||||
tags:
|
||||
- attack.exfiltration
|
||||
- attack.t1048.003
|
||||
falsepositives:
|
||||
- legitimate usage of wget utility to post a file
|
||||
level: medium
|
||||
Reference in New Issue
Block a user