/
proc_creation_win_wget_download_direct_ip.yml
61 lines (61 loc) · 1.67 KB
/
proc_creation_win_wget_download_direct_ip.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
title: Suspicious File Download From IP Via Wget.EXE
id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35
status: experimental
description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
references:
- https://www.gnu.org/software/wget/manual/wget.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/07/27
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wget.exe'
- OriginalFileName: 'wget.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_http:
CommandLine|contains: 'http'
selection_flag:
- CommandLine|re: '\s-O\s'
- CommandLine|contains: '--output-document'
selection_ext:
CommandLine|endswith:
# Note you can transform this into a "contains" to increase coverage but you would need to take care of some FP.
- '.ps1'
- ".ps1'"
- '.ps1"'
- '.dat'
- ".dat'"
- '.dat"'
- '.msi'
- ".msi'"
- '.msi"'
- '.bat'
- ".bat'"
- '.bat"'
- '.exe'
- ".exe'"
- '.exe"'
- '.vbs'
- ".vbs'"
- '.vbs"'
- '.vbe'
- ".vbe'"
- '.vbe"'
- '.hta'
- ".hta'"
- '.hta"'
- '.dll'
- ".dll'"
- '.dll"'
- '.psm1'
- ".psm1'"
- '.psm1"'
condition: all of selection_*
falsepositives:
- Unknown
level: high