← Library
splApache-2.0from splunk/security_content

File Download or Read to Pipe Execution

The following analytic detects the use of download or file reading utilities from Windows, Linux or MacOS to download or read the contents of a file from a remote or local source and pipe it directly to a shell for execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions. This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/file_download_or_read_to_pipe_execution.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime

from datamodel=Endpoint.Processes where

``` This aims to cover download utilities and file reading ones ```

Processes.process IN (
  "*.DownloadFile(*",
  "*.DownloadString(*",
  "*ASCII.GetString*",
  "*bitsadmin*",
  "*certutil*",
  "*curl*",
  "*Invoke-RestMethod*",
  "*Invoke-WebRequest*",
  "*irm*",
  "*iwr *",
  "*mshta*",
  "*wget*"
)

Processes.process IN ("*|*")

(
  ``` Linux / MacOS ```
  Processes.process IN (
    "*bash*",
    "*csh*",
    "*dash*",
    "*fish*",
    "*ksh*",
    "*rbash*",
    "*tcsh*",
    "*zsh*"
  )
  OR
  ``` Because the "sh" string can overlap and is a short atom we treat it in a special case ```
  Processes.process IN (
    "*|sh"
    "* sh*"
  )
  OR
  ``` Windows ```
  Processes.process IN ("*IEX*", "*Invoke-Expression*")
)

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `file_download_or_read_to_pipe_execution_filter`
File Download or Read to Pipe Execution · SPL rule | DetectionLint