phantinuss
25 lines
816 B
YAML
25 lines
816 B
YAML
title: Data Exfiltration with Wget
|
|
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
|
|
description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
|
|
author: 'Pawel Mazur'
|
|
status: experimental
|
|
date: 2021/11/18
|
|
references:
|
|
- https://attack.mitre.org/tactics/TA0010/
|
|
- https://linux.die.net/man/1/wget
|
|
- https://gtfobins.github.io/gtfobins/wget/
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
wget:
|
|
type: EXECVE
|
|
a0: wget
|
|
a1|startswith: '--post-file='
|
|
condition: wget
|
|
tags:
|
|
- attack.exfiltration
|
|
- attack.t1048.003
|
|
falsepositives:
|
|
- Legitimate usage of wget utility to post a file
|
|
level: medium |