false positives should be limited, however filtering may be required.

Techniques

T1105

Sample rules

File Download or Read to Pipe Execution

source: splunk
technicques:
- T1105

Description

The following analytic detects the use of download or file reading utilities from Windows, Linux or MacOS to download or read the contents of a file from a remote or local source and pipe it directly to a shell for execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions. This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime

from datamodel=Endpoint.Processes where

``` This aims to cover download utilities and file reading ones ```

Processes.process IN (
  "*.DownloadFile(*",
  "*.DownloadString(*",
  "*ASCII.GetString*",
  "*bitsadmin*",
  "*certutil*",
  "*curl*",
  "*Invoke-RestMethod*",
  "*Invoke-WebRequest*",
  "*irm*",
  "*iwr *",
  "*mshta*",
  "*wget*"
)

Processes.process IN ("*
|*")

(
  ``` Linux / MacOS ```
  Processes.process IN (
    "*bash*",
    "*csh*",
    "*dash*",
    "*fish*",
    "*ksh*",
    "*rbash*",
    "*tcsh*",
    "*zsh*"
  )
  OR
  ``` Because the "sh" string can overlap and is a short atom we treat it in a special case ```
  Processes.process IN (
    "*
|sh"
    "* sh*"
  )
  OR
  ``` Windows ```
  Processes.process IN ("*IEX*", "*Invoke-Expression*")
)

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `file_download_or_read_to_pipe_execution_filter`

Curl Download and Bash Execution

source: splunk
technicques:
- T1105

Description

The following analytic detects the use of curl on Linux or MacOS systems to download a file from a remote source and pipe it directly to bash for execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant as it is commonly associated with malicious actions such as coinminers and exploitation of vulnerabilities like CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could lead to unauthorized code execution, system compromise, and further exploitation within the environment.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process="*-s *") AND (Processes.process="*
|*" AND Processes.process="*bash*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `curl_download_and_bash_execution_filter`

Wget Download and Bash Execution

source: splunk
technicques:
- T1105

Description

The following analytic detects the use of wget on Windows, Linux or MacOS to download a file from a remote source and pipe it to bash. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=wget OR Processes.process_name=wget.exe) ((Processes.process="*-q *" OR Processes.process="*-q" OR Processes.process="*--quiet*") AND Processes.process="*-O- *") AND (Processes.process="*
|*" AND Processes.process="*bash*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `wget_download_and_bash_execution_filter`