Skip to content
Try it Free Request Your Demo


    An Uptycs Comyc


    Meet Red Team Curly and Blue Team Linus. Hijinx will ensue.

    Ever wondered how everyday, innocuous linux commands and utilities can be leveraged by bad actors? Curious how you can detect if they’re being used maliciously in your ecosystem?

    Curly will stop at nothing to infiltrate Hackington and exfiltrate all the data he can find. There’s just one problem. Linus-- always vigilant, alert to anything suspicious, and wise to Curly’s tricks.

    This episode of Sudo Science has Linus, our Blue Team character, standing guard as they protect the outer castle walls. He begins to notice a suspicious line dragging a bag across the ground. Linus begins to investigate and follows the line towards the castle. Inside the castle, Curly has somehow gotten into the castle and is using his new WGET-3000 fishing pole to download some external data. Likely, it is a bag of malicious tools for him to wreck havoc inside the castle.

    Click here to download

    Deep Dive

    curl and wget can be quite the security headache for Linux defenders. While these commands are commonly used by attackers to download malicious tools, user agents, and more, they are also quite useful to Linux users to download completely benign data. This technique is known as T1105 - Ingress Tool Transfer where “adversaries may transfer tools or other files from an external system into a compromised environment”.  The tools reside on an external system controlled by the adversary and are brought into the network via protocols such as FTP or SFTP. According to MITRE ATT&CK, this technique is incredibly common and used through a variety of methods. For example, APT41 will use cerutil while CoinTicker executes a Python script.

    To detect this technique, we can monitor for file creation and files transferred into the network. While we should not rely on this method, we can look for signatures of what is being downloaded (attackers will likely change the signatures over time to evade detection, so this is not a fool proof method). On the behavioral side, we can detect uncommon data flows or transfers. For example, we can analyze network data to see if the client is sending more data than it receives from a server.

    Want to see the full Sudo Science Comyc? Download your copy here.

    Or get more Sudo Science action: Comyc #1, Comyc #3

    Ready To Learn More About Linux Security?

    Ebook: 4 Golden Rules for Linux Security - Download Discover the 4 key components of Linux security with specific recommendations so you can make Linux more Secure: Reduce Attack Surface Area with SSH Best Practices, Scan for Odd User Activity, ... Learn More
    Linux Commands and Utilities Commonly Used by Attackers The Uptycs threat research team has observed several instances of Linux attackers leveraging inbuilt commands and utilities for malicious activities. Learn More
    21 Best Linux Resources For Infrastructure Security Infrastructure security is a top priority now. It’s time to discover server security best practices and the best Linux resources to keep you on track. Learn More

    See Uptycs in Action

    Schedule your demo of the Uptycs Cloud-Native Security Analytics Platform and see how Uptycs can help you protect and defend across modern attack surfaces.

    Schedule Your Demo