Techniques
Sample rules
Linux Ingress Tool Transfer Hunting
- source: splunk
- technicques:
- T1105
Description
The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_ingress_tool_transfer_hunting_filter`