Skip to content
Threat Feed
medium advisory

Potential Data Exfiltration via Wget on Linux Systems

This rule detects the use of wget on Linux systems to upload files to an external server, a tactic commonly used for data exfiltration.

This detection identifies the abuse of wget on Linux systems to exfiltrate data to external servers. Attackers may collect sensitive files, compress them, and then use wget with options such as --post-file, --post-data, or --body-file to transmit the data via HTTP/HTTPS. This activity, while not inherently malicious, becomes suspicious when combined with access to sensitive files or when observed in non-interactive sessions (e.g., cron jobs). The rule focuses on detecting unusual wget command-line arguments indicative of data exfiltration. This helps defenders identify potentially compromised systems where data is being stolen.

Attack Chain

  1. Initial Access: Attacker gains access to the target Linux system through vulnerabilities, stolen credentials, or other means.
  2. Data Collection: Attacker identifies and collects sensitive files from various locations on the system, such as /etc/passwd, /etc/shadow, user SSH keys (~/.ssh/*), environment files (*.env*), and temporary directories (/tmp/*, /var/tmp/*).
  3. Staging: The collected files are often compressed into an archive (e.g., loot.tar.gz) and placed in a temporary directory, like /tmp.
  4. Command Construction: The attacker crafts a wget command to upload the staged data to a remote server. This command typically includes options like --post-file, --post-data, or --body-file to send the file content via HTTP POST.
  5. Exfiltration: The wget command is executed, sending the staged data to the attacker's command and control (C2) server.
  6. Cleanup (Optional): The attacker may attempt to delete the staged archive and any associated scripts to cover their tracks.
  7. Persistence (Optional): The attacker may schedule the exfiltration process via cron jobs or systemd timers to automate the data theft.

Impact

A successful attack can result in the exfiltration of sensitive data, including credentials, configuration files, source code, and customer data. The severity of the impact depends on the nature of the exfiltrated data. Compromised credentials can lead to further unauthorized access to internal systems. Leaked source code can expose vulnerabilities. Stolen customer data can result in financial losses and reputational damage.

Recommendation

  • Deploy the Sigma rule "Potential Data Exfiltration Through Wget" to your SIEM to detect suspicious wget commands (see rules section).
  • Enable process creation logging with command-line arguments on Linux systems to capture the full wget command lines (reference: logsource).
  • Investigate any alerts generated by the Sigma rule by examining the process tree, user context, and destination endpoint to determine legitimacy.
  • Implement network monitoring to detect unusual outbound HTTP/HTTPS traffic, especially POST requests to unfamiliar destinations.
  • Harden Linux systems by restricting the use of wget where it is not necessary and enforcing SELinux/AppArmor policies to limit its capabilities (reference: setup section).
  • Regularly review and audit cron jobs and systemd timers for suspicious entries that could be used for automated data exfiltration.

Detection coverage 2

Potential Data Exfiltration Through Wget

medium

Detects the use of wget to upload files to an external server, a tactic commonly used for data exfiltration.

sigma tactics: exfiltration techniques: T1048 sources: process_creation, linux

Potential Data Exfiltration Through Wget to IP Address

medium

Detects the use of wget to upload files to an IP address, a tactic commonly used for data exfiltration.

sigma tactics: exfiltration techniques: T1048 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →