EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious File Download From IP Via Wget.EXE - Paths

Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe

Detection Query

selection_img:
  - Image|endswith: \wget.exe
  - OriginalFileName: wget.exe
selection_ip:
  CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
selection_http:
  CommandLine|contains: http
selection_flag:
  - CommandLine|re: \s-O\s
  - CommandLine|contains: --output-document
selection_paths:
  - CommandLine|contains:
      - :\PerfLogs\
      - :\Temp\
      - :\Users\Public\
      - :\Windows\Help\
      - :\Windows\Temp\
      - \Temporary Internet
  - CommandLine|contains|all:
      - :\Users\
      - \Favorites\
  - CommandLine|contains|all:
      - :\Users\
      - \Favourites\
  - CommandLine|contains|all:
      - :\Users\
      - \Contacts\
  - CommandLine|contains|all:
      - :\Users\
      - \Pictures\
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2024-02-23

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.execution
Raw Content
title: Suspicious File Download From IP Via Wget.EXE - Paths
id: 40aa399c-7b02-4715-8e5f-73572b493f33
status: test
description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
references:
    - https://www.gnu.org/software/wget/manual/wget.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wget.exe'
        - OriginalFileName: 'wget.exe'
    selection_ip:
        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_http:
        CommandLine|contains: 'http'
    selection_flag:
        - CommandLine|re: '\s-O\s'
        - CommandLine|contains: '--output-document'
    selection_paths:
        - CommandLine|contains:
              - ':\PerfLogs\'
              - ':\Temp\'
              - ':\Users\Public\'
              - ':\Windows\Help\'
              - ':\Windows\Temp\'
              - '\Temporary Internet'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high