Home/CVE-2017-6508/Sigma rules
Sigma

Sigma rules for CVE-2017-6508

7 rules · scoped to cve · back to CVE-2017-6508
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

7 of 7
direct high
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
status experimental author Aayush Gupta id a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
    Detects suspicious use of command-line tools such as curl or wget to download remote
    content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
    immediate execution, indicating potential malicious activity. This pattern is commonly used
    by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
    - https://gtfobins.github.io/gtfobins/wget/
    - https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
    - attack.execution
    - attack.t1059.004
    - attack.t1203
logsource:
    category: process_creation
    product: linux
detection:
    selection_downloader:
        CommandLine|contains:
            - '/curl'
            - '/wget'
    selection_tmp:
        CommandLine|contains:
            - '/tmp/'
            - '/dev/shm/'
    selection_executor:
        CommandLine|contains: 'sh -c'
    condition: all of selection_*
falsepositives:
    - System update scripts using temporary files
    - Installer scripts or automated provisioning tools
level: high
direct high
Suspicious File Download From IP Via Wget.EXE
Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
status test author Nasreddine Bencherchali (Nextron Systems) id 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious File Download From IP Via Wget.EXE
id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35
status: test
description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
references:
    - https://www.gnu.org/software/wget/manual/wget.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wget.exe'
        - OriginalFileName: 'wget.exe'
    selection_ip:
        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_http:
        CommandLine|contains: 'http'
    selection_flag:
        - CommandLine|re: '\s-O\s'
        - CommandLine|contains: '--output-document'
    selection_ext:
        CommandLine|endswith:
            # Note you can transform this into a "contains" to increase coverage but you would need to take care of some FP.
            - '.ps1'
            - ".ps1'"
            - '.ps1"'
            - '.dat'
            - ".dat'"
            - '.dat"'
            - '.msi'
            - ".msi'"
            - '.msi"'
            - '.bat'
            - ".bat'"
            - '.bat"'
            - '.exe'
            - ".exe'"
            - '.exe"'
            - '.vbs'
            - ".vbs'"
            - '.vbs"'
            - '.vbe'
            - ".vbe'"
            - '.vbe"'
            - '.hta'
            - ".hta'"
            - '.hta"'
            - '.dll'
            - ".dll'"
            - '.dll"'
            - '.psm1'
            - ".psm1'"
            - '.psm1"'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
direct high
Suspicious File Download From IP Via Wget.EXE - Paths
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
status test author Nasreddine Bencherchali (Nextron Systems) id 40aa399c-7b02-4715-8e5f-73572b493f33 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious File Download From IP Via Wget.EXE - Paths
id: 40aa399c-7b02-4715-8e5f-73572b493f33
status: test
description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
references:
    - https://www.gnu.org/software/wget/manual/wget.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wget.exe'
        - OriginalFileName: 'wget.exe'
    selection_ip:
        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_http:
        CommandLine|contains: 'http'
    selection_flag:
        - CommandLine|re: '\s-O\s'
        - CommandLine|contains: '--output-document'
    selection_paths:
        - CommandLine|contains:
              - ':\PerfLogs\'
              - ':\Temp\'
              - ':\Users\Public\'
              - ':\Windows\Help\'
              - ':\Windows\Temp\'
              - '\Temporary Internet'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
direct high
Suspicious File Download From File Sharing Domain Via Wget.EXE
Detects potentially suspicious file downloads from file sharing domains using wget.exe
status test author Nasreddine Bencherchali (Nextron Systems) id a0d7e4d2-bede-4141-8896-bc6e237e977c license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious File Download From File Sharing Domain Via Wget.EXE
id: a0d7e4d2-bede-4141-8896-bc6e237e977c
status: test
description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
modified: 2025-12-10
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wget.exe'
        - OriginalFileName: 'wget.exe'
    selection_websites:
        CommandLine|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    selection_http:
        CommandLine|contains: 'http'
    selection_flag:
        - CommandLine|re: '\s-O\s'
        - CommandLine|contains: '--output-document'
    selection_ext:
        CommandLine|endswith:
            - '.ps1'
            - ".ps1'"
            - '.ps1"'
            - '.dat'
            - ".dat'"
            - '.dat"'
            - '.msi'
            - ".msi'"
            - '.msi"'
            - '.bat'
            - ".bat'"
            - '.bat"'
            - '.exe'
            - ".exe'"
            - '.exe"'
            - '.vbs'
            - ".vbs'"
            - '.vbs"'
            - '.vbe'
            - ".vbe'"
            - '.vbe"'
            - '.hta'
            - ".hta'"
            - '.hta"'
            - '.dll'
            - ".dll'"
            - '.dll"'
            - '.psm1'
            - ".psm1'"
            - '.psm1"'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
direct medium
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 license Sigma · DRL-1.1
view Sigma YAML 
title: Download File To Potentially Suspicious Directory Via Wget
id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
status: test
description: Detects the use of wget to download content to a suspicious directory
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/wget'
    selection_output:
        - CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
        - CommandLine|contains: '--output-document'
    selection_path:
        CommandLine|contains: '/tmp/'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
direct medium
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
status test author Pawel Mazur id cb39d16b-b3b6-4a7a-8222-1cf24b686ffc license Sigma · DRL-1.1
view Sigma YAML 
title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
    Detects attempts to post the file with the usage of wget utility.
    The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
    - https://linux.die.net/man/1/wget
    - https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: wget
        a1|startswith: '--post-file='
    condition: selection
falsepositives:
    - Legitimate usage of wget utility to post a file
level: medium
direct medium
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id 35a05c60-9012-49b6-a11f-6bab741c9f74 license Sigma · DRL-1.1
view Sigma YAML 
title: Wget Creating Files in Tmp Directory
id: 35a05c60-9012-49b6-a11f-6bab741c9f74
status: test
description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: linux
    category: file_event
detection:
    selection:
        Image|endswith: '/wget'
        TargetFilename|startswith:
            - '/tmp/'
            - '/var/tmp/'
    condition: selection
falsepositives:
    - Legitimate downloads of files in the tmp folder.
level: medium
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin