From 87f64e28fdf2e7547f6ef497b2d886b04747b4a5 Mon Sep 17 00:00:00 2001
From: Pawel Mazur <pawelmazur835@gmail.com>
Date: Thu, 18 Nov 2021 18:03:17 +0100
Subject: [PATCH] Adding New Linux Auditd rule - Data Exfil with Wget

---
 .../auditd/lnx_auditd_data_exfil_wget.yml     | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/linux/auditd/lnx_auditd_data_exfil_wget.yml

diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml
new file mode 100644
index 000000000..4359db96e
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml
@@ -0,0 +1,25 @@
+title: Data Exfiltration with Wget
+id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
+description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/11/18
+references:
+   - https://attack.mitre.org/tactics/TA0010/
+   - https://linux.die.net/man/1/wget
+   - https://gtfobins.github.io/gtfobins/wget/
+logsource:
+   product: linux
+   service: auditd
+detection:
+   wget:
+       type: EXECVE
+       a0: wget
+       a1|startswith: '--post-file='
+   condition: wget
+tags:
+   - attack.exfiltration
+   - attack.t1048.003
+falsepositives:
+   - legitimate usage of wget utility to post a file
+level: medium
\ No newline at end of file